[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH v4 08/30] ahci: fix buffer overrun on invalid state
|
From: |
Michael S. Tsirkin |
|
Subject: |
[Qemu-stable] [PATCH v4 08/30] ahci: fix buffer overrun on invalid state load |
|
Date: |
Mon, 31 Mar 2014 17:16:31 +0300 |
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
---
hw/ide/ahci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index bfe633f..457a7a1 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
VMSTATE_UINT32(control_regs.impl, AHCIState),
VMSTATE_UINT32(control_regs.version, AHCIState),
VMSTATE_UINT32(idp_index, AHCIState),
- VMSTATE_INT32(ports, AHCIState),
+ VMSTATE_INT32_EQUAL(ports, AHCIState),
VMSTATE_END_OF_LIST()
},
};
--
MST
- [Qemu-stable] [PATCH v4 26/30] savevm: fix potential segfault on invalid state, (continued)
- [Qemu-stable] [PATCH v4 26/30] savevm: fix potential segfault on invalid state, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 27/30] vmxnet3: validate interrupt indices coming from guest, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 28/30] vmxnet3: validate interrupt indices read on migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 29/30] vmxnet3: validate queues configuration coming from quest, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 30/30] vmxnet3: validate queues configuration read on migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-stable] [PATCH v4 08/30] ahci: fix buffer overrun on invalid state load,
Michael S. Tsirkin <=