[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 052/156] zaurus: fix buffer overrun on invalid state
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load |
Date: |
Tue, 8 Jul 2014 12:17:23 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b)
Signed-off-by: Michael Roth <address@hidden>
---
hw/gpio/zaurus.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c
index dc79a8b..8e2ce04 100644
--- a/hw/gpio/zaurus.c
+++ b/hw/gpio/zaurus.c
@@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, int version_id)
return version_id == 0;
}
+static bool vmstate_scoop_validate(void *opaque, int version_id)
+{
+ ScoopInfo *s = opaque;
+
+ return !(s->prev_level & 0xffff0000) &&
+ !(s->gpio_level & 0xffff0000) &&
+ !(s->gpio_dir & 0xffff0000);
+}
+
static const VMStateDescription vmstate_scoop_regs = {
.name = "scoop",
.version_id = 1,
@@ -215,6 +224,7 @@ static const VMStateDescription vmstate_scoop_regs = {
VMSTATE_UINT32(gpio_level, ScoopInfo),
VMSTATE_UINT32(gpio_dir, ScoopInfo),
VMSTATE_UINT32(prev_level, ScoopInfo),
+ VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate),
VMSTATE_UINT16(mcr, ScoopInfo),
VMSTATE_UINT16(cdr, ScoopInfo),
VMSTATE_UINT16(ccr, ScoopInfo),
--
1.9.1
- [Qemu-devel] [PATCH 062/156] linux-user/elfload.c: Update ARM HWCAP bits, (continued)
- [Qemu-devel] [PATCH 062/156] linux-user/elfload.c: Update ARM HWCAP bits, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 064/156] spapr_pci: Fix number of returned vectors in ibm, change-msi, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 063/156] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 065/156] pci-assign: limit # of msix vectors, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 075/156] block/cloop: fix offsets[] size off-by-one, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 079/156] bochs: Check catalog_size header field (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 076/156] qemu-iotests: Support for bochs format, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load,
Michael Roth <=
- [Qemu-devel] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 084/156] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 087/156] qcow2: Check header_length (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 089/156] qcow2: Check refcount table size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_clusters_at(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 091/156] qcow2: Validate snapshot table offset/size (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 093/156] qcow2: Fix backing file name length check, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 097/156] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143), Michael Roth, 2014/07/08