1369de9828
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
40 lines
1.4 KiB
Diff
40 lines
1.4 KiB
Diff
From: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Date: Thu, 3 Apr 2014 19:51:46 +0300
|
|
Subject: [PATCH] virtio: avoid buffer overrun on incoming migration
|
|
|
|
CVE-2013-6399
|
|
|
|
vdev->queue_sel is read from the wire, and later used in the
|
|
emulation code as an index into vdev->vq[]. If the value of
|
|
vdev->queue_sel exceeds the length of vdev->vq[], currently
|
|
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
|
|
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
|
|
the buffer with arbitrary data originating from the source.
|
|
|
|
Fix this by failing migration if the value from the wire exceeds
|
|
VIRTIO_PCI_QUEUE_MAX.
|
|
|
|
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
|
|
---
|
|
hw/virtio/virtio.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
|
index 8dc3cb3..705fad9 100644
|
|
--- a/hw/virtio/virtio.c
|
|
+++ b/hw/virtio/virtio.c
|
|
@@ -904,6 +904,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
|
|
qemu_get_8s(f, &vdev->status);
|
|
qemu_get_8s(f, &vdev->isr);
|
|
qemu_get_be16s(f, &vdev->queue_sel);
|
|
+ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
|
|
+ return -1;
|
|
+ }
|
|
qemu_get_be32s(f, &features);
|
|
|
|
if (virtio_set_features(vdev, features) < 0) {
|