[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 20/23] zaurus: fix buffer overrun on invalid sta
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] [PATCH 20/23] zaurus: fix buffer overrun on invalid state load |
|
Date: |
Tue, 3 Dec 2013 19:44:30 +0000 |
On 3 December 2013 16:29, Michael S. Tsirkin <address@hidden> wrote:
> CVE-2013-4540
>
> Within scoop_gpio_handler_update, if prev_level has a high bit set, then
> we get bit > 16 and that does a buffer overrun.
>
> Since prev_level comes from wire indirectly, this can
> happen on invalid state load.
>
> To fix, limit to 16 bit.
I feel like it would be more robust to sanitize on state load
rather than hoping that all future updates to the device continue
to work with bogus values in the state struct.
Alternatively we could make gpio_dir, gpio_level and prev_level
uint16_t in the state struct and vmstate (we don't care about
migration cross-version compat for this device).
thanks
-- PMM
- [Qemu-devel] [PATCH 15/23] pxa2xx: avoid buffer overrun on incoming migration, (continued)
- [Qemu-devel] [PATCH 15/23] pxa2xx: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 16/23] virtio: validate num_sg when mapping, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 17/23] ssi-sd: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 18/23] ssd0323: fix buffer overun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 19/23] tsc210x: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 20/23] zaurus: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- Re: [Qemu-devel] [PATCH 20/23] zaurus: fix buffer overrun on invalid state load,
Peter Maydell <=
- [Qemu-devel] [PATCH 21/23] usb: sanity check setup_index+setup_len in post_load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 11/23] stellaris_enet: avoid buffer overrun on incoming migration (part 2), Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 23/23] savevm: fix potential segfault on invalid state, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 22/23] virtio-scsi: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 04/23] virtio: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2013/12/03
- Re: [Qemu-devel] [PATCH 00/23] qemu state loading issues, Peter Maydell, 2013/12/03