[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 06/23] hpet: fix buffer overrun on invalid state lo
|
From: |
Michael S. Tsirkin |
|
Subject: |
[Qemu-stable] [PATCH 06/23] hpet: fix buffer overrun on invalid state load |
|
Date: |
Tue, 3 Dec 2013 18:28:37 +0200 |
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using post_load hook.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
---
hw/timer/hpet.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index 2eb75ea..acdc874 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -211,6 +211,15 @@ static void update_irq(struct HPETTimer *timer, int set)
}
}
+static void hpet_fix_num_timers(HPETState *s)
+{
+ if (s->num_timers < HPET_MIN_TIMERS) {
+ s->num_timers = HPET_MIN_TIMERS;
+ } else if (s->num_timers > HPET_MAX_TIMERS) {
+ s->num_timers = HPET_MAX_TIMERS;
+ }
+}
+
static void hpet_pre_save(void *opaque)
{
HPETState *s = opaque;
@@ -232,6 +241,8 @@ static int hpet_post_load(void *opaque, int version_id)
{
HPETState *s = opaque;
+ hpet_fix_num_timers(s);
+
/* Recalculate the offset between the main counter and guest time */
s->hpet_offset = ticks_to_ns(s->hpet_counter) -
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
@@ -719,11 +730,8 @@ static void hpet_realize(DeviceState *dev, Error **errp)
sysbus_init_irq(sbd, &s->irqs[i]);
}
- if (s->num_timers < HPET_MIN_TIMERS) {
- s->num_timers = HPET_MIN_TIMERS;
- } else if (s->num_timers > HPET_MAX_TIMERS) {
- s->num_timers = HPET_MAX_TIMERS;
- }
+ hpet_fix_num_timers(s);
+
for (i = 0; i < HPET_MAX_TIMERS; i++) {
timer = &s->timer[i];
timer->qemu_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, hpet_timer,
timer);
--
MST
- [Qemu-stable] [PATCH 00/23] qemu state loading issues, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 01/23] virtio-net: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 02/23] virtio-net: out-of-bounds buffer write on load, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 03/23] virtio-net: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 05/23] ahci: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-stable] [PATCH 06/23] hpet: fix buffer overrun on invalid state load,
Michael S. Tsirkin <=
- [Qemu-stable] [PATCH 07/23] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2013/12/03
[Qemu-stable] [PATCH 09/23] target-arm/machine.c: fix buffer overflow on invalid state load, Michael S. Tsirkin, 2013/12/03