1369de9828
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From: "Michael S. Tsirkin" <mst@redhat.com>
|
|
Date: Thu, 3 Apr 2014 19:51:18 +0300
|
|
Subject: [PATCH] ahci: fix buffer overrun on invalid state load
|
|
|
|
CVE-2013-4526
|
|
|
|
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
|
|
we use the old version of ports to read the array but then allow any
|
|
value for ports. This can cause the code to overflow.
|
|
|
|
There's no reason to migrate ports - it never changes.
|
|
So just make sure it matches.
|
|
|
|
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
|
|
---
|
|
hw/ide/ahci.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
|
|
index bba150f..7c62cc7 100644
|
|
--- a/hw/ide/ahci.c
|
|
+++ b/hw/ide/ahci.c
|
|
@@ -1281,7 +1281,7 @@ const VMStateDescription vmstate_ahci = {
|
|
VMSTATE_UINT32(control_regs.impl, AHCIState),
|
|
VMSTATE_UINT32(control_regs.version, AHCIState),
|
|
VMSTATE_UINT32(idp_index, AHCIState),
|
|
- VMSTATE_INT32(ports, AHCIState),
|
|
+ VMSTATE_INT32_EQUAL(ports, AHCIState),
|
|
VMSTATE_END_OF_LIST()
|
|
},
|
|
};
|