From patchwork Mon Nov 28 19:27:37 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Markus Armbruster X-Patchwork-Id: 128064 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [140.186.70.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id F2F48B6F80 for ; Tue, 29 Nov 2011 06:27:53 +1100 (EST) Received: from localhost ([::1]:48362 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RV6rl-00023f-10 for incoming@patchwork.ozlabs.org; Mon, 28 Nov 2011 14:27:49 -0500 Received: from eggs.gnu.org ([140.186.70.92]:40672) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RV6rf-00023P-ER for qemu-devel@nongnu.org; Mon, 28 Nov 2011 14:27:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RV6re-0002cw-3Y for qemu-devel@nongnu.org; Mon, 28 Nov 2011 14:27:43 -0500 Received: from oxygen.pond.sub.org ([78.46.104.156]:37288) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RV6rd-0002cd-VG for qemu-devel@nongnu.org; Mon, 28 Nov 2011 14:27:42 -0500 Received: from blackfin.pond.sub.org (p5B329D5A.dip.t-dialin.net [91.50.157.90]) by oxygen.pond.sub.org (Postfix) with ESMTPA id D87EA9FF79; Mon, 28 Nov 2011 20:27:38 +0100 (CET) Received: by blackfin.pond.sub.org (Postfix, from userid 500) id EFC656006E; Mon, 28 Nov 2011 20:27:37 +0100 (CET) From: Markus Armbruster To: qemu-devel@nongnu.org Date: Mon, 28 Nov 2011 20:27:37 +0100 Message-Id: <1322508457-25520-1-git-send-email-armbru@redhat.com> X-Mailer: git-send-email 1.7.6.4 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 78.46.104.156 Cc: alevy@redhat.com Subject: [Qemu-devel] [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org ATR size exceeding the limit is diagnosed, but then we merrily use it anyway, overrunning card->atr[]. The message is read from a character device. Obvious security implications unless the other end of the character device is trusted. Spotted by Coverity. CVE-2011-4111. Signed-off-by: Markus Armbruster --- hw/ccid-card-passthru.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c index 2cbc81b..9f51c6c 100644 --- a/hw/ccid-card-passthru.c +++ b/hw/ccid-card-passthru.c @@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card, error_report("ATR size exceeds spec, ignoring"); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_GENERAL_ERROR); + break; } memcpy(card->atr, data, scr_msg_header->length); card->atr_length = scr_msg_header->length;