qemu/0310-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch
Cole Robinson 1369de9828 CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization (bz #1157647, bz #1157641)
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
2014-10-29 15:12:00 -04:00

58 lines
1.6 KiB
Diff

From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:42 +0300
Subject: [PATCH] vmstate: fix buffer overflow in target-arm/machine.c
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropriately.
The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
---
savevm.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/savevm.c b/savevm.c
index 9f7f668..ffc1a7c 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1104,17 +1104,20 @@ const VMStateInfo vmstate_info_int32_equal = {
.put = put_int32,
};
-/* 32 bit int. See that the received value is the less or the same
- than the one in the field */
+/* 32 bit int. Check that the received value is non-negative
+ * and less than or equal to the one in the field.
+ */
static int get_int32_le(QEMUFile *f, void *pv, size_t size)
{
- int32_t *old = pv;
- int32_t new;
- qemu_get_sbe32s(f, &new);
+ int32_t *cur = pv;
+ int32_t loaded;
+ qemu_get_sbe32s(f, &loaded);
- if (*old <= new)
+ if (loaded >= 0 && loaded <= *cur) {
+ *cur = loaded;
return 0;
+ }
return -EINVAL;
}