[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v5 08/24] ahci: fix buffer overrun on invalid state
From: |
Michael S. Tsirkin |
Subject: |
[Qemu-devel] [PATCH v5 08/24] ahci: fix buffer overrun on invalid state load |
Date: |
Thu, 3 Apr 2014 19:51:18 +0300 |
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
---
hw/ide/ahci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index bfe633f..457a7a1 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
VMSTATE_UINT32(control_regs.impl, AHCIState),
VMSTATE_UINT32(control_regs.version, AHCIState),
VMSTATE_UINT32(idp_index, AHCIState),
- VMSTATE_INT32(ports, AHCIState),
+ VMSTATE_INT32_EQUAL(ports, AHCIState),
VMSTATE_END_OF_LIST()
},
};
--
MST
[Qemu-devel] [PATCH v5 10/24] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2014/04/03
[Qemu-devel] [PATCH v5 11/24] pl022: fix buffer overun on invalid state load, Michael S. Tsirkin, 2014/04/03
[Qemu-devel] [PATCH v5 12/24] vmstate: fix buffer overflow in target-arm/machine.c, Michael S. Tsirkin, 2014/04/03
[Qemu-devel] [PATCH v5 13/24] virtio: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/04/03