53 lines
1.6 KiB
Diff
53 lines
1.6 KiB
Diff
From acf45756e165664f6d70025c02ddca563adee496 Mon Sep 17 00:00:00 2001
|
|
From: "Michael S. Tsirkin" <mst@redhat.com>
|
|
Date: Thu, 3 Apr 2014 19:51:42 +0300
|
|
Subject: [PATCH] vmstate: fix buffer overflow in target-arm/machine.c
|
|
|
|
CVE-2013-4531
|
|
|
|
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
|
|
cpreg_vmstate_array_len will cause a buffer overflow.
|
|
|
|
VMSTATE_INT32_LE was supposed to protect against this
|
|
but doesn't because it doesn't validate that input is
|
|
non-negative.
|
|
|
|
Fix this macro to valide the value appropriately.
|
|
|
|
The only other user of VMSTATE_INT32_LE doesn't
|
|
ever use negative numbers so it doesn't care.
|
|
|
|
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
|
|
---
|
|
vmstate.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/vmstate.c b/vmstate.c
|
|
index d856319..105f184 100644
|
|
--- a/vmstate.c
|
|
+++ b/vmstate.c
|
|
@@ -333,8 +333,9 @@ const VMStateInfo vmstate_info_int32_equal = {
|
|
.put = put_int32,
|
|
};
|
|
|
|
-/* 32 bit int. Check that the received value is less than or equal to
|
|
- the one in the field */
|
|
+/* 32 bit int. Check that the received value is non-negative
|
|
+ * and less than or equal to the one in the field.
|
|
+ */
|
|
|
|
static int get_int32_le(QEMUFile *f, void *pv, size_t size)
|
|
{
|
|
@@ -342,7 +343,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size)
|
|
int32_t loaded;
|
|
qemu_get_sbe32s(f, &loaded);
|
|
|
|
- if (loaded <= *cur) {
|
|
+ if (loaded >= 0 && loaded <= *cur) {
|
|
*cur = loaded;
|
|
return 0;
|
|
}
|