Message ID | 1396275242-10810-11-git-send-email-mst@redhat.com |
---|---|
State | New |
Headers | show |
* Michael S. Tsirkin (mst@redhat.com) wrote: > 4) CVE-2013-4529 > hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is > too large > > There are two issues in this file: > 1. log_max from remote can be larger than on local > then buffer will overrun with data coming from state file. > 2. log_num can be larger then we get data corruption > again with an overflow but not adversary controlled. > > Fix both issues. > > Reported-by: Anthony Liguori <anthony@codemonkey.ws> > Reported-by: Michael S. Tsirkin <mst@redhat.com> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> > --- > hw/pci/pcie_aer.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c > index 991502e..535be2c 100644 > --- a/hw/pci/pcie_aer.c > +++ b/hw/pci/pcie_aer.c > @@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = { > } > }; > > +static bool pcie_aer_state_log_num_valid(void *opaque, int version_id) > +{ > + PCIEAERLog *s = opaque; > + > + return s->log_num <= s->log_max; > +} > + > const VMStateDescription vmstate_pcie_aer_log = { > .name = "PCIE_AER_ERROR_LOG", > .version_id = 1, > @@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = { > .minimum_version_id_old = 1, > .fields = (VMStateField[]) { > VMSTATE_UINT16(log_num, PCIEAERLog), > - VMSTATE_UINT16(log_max, PCIEAERLog), > + VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog), > + VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid), > VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num, > vmstate_pcie_aer_err, PCIEAERErr), > VMSTATE_END_OF_LIST() > -- > MST > > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c index 991502e..535be2c 100644 --- a/hw/pci/pcie_aer.c +++ b/hw/pci/pcie_aer.c @@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = { } }; +static bool pcie_aer_state_log_num_valid(void *opaque, int version_id) +{ + PCIEAERLog *s = opaque; + + return s->log_num <= s->log_max; +} + const VMStateDescription vmstate_pcie_aer_log = { .name = "PCIE_AER_ERROR_LOG", .version_id = 1, @@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = { .minimum_version_id_old = 1, .fields = (VMStateField[]) { VMSTATE_UINT16(log_num, PCIEAERLog), - VMSTATE_UINT16(log_max, PCIEAERLog), + VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog), + VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid), VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num, vmstate_pcie_aer_err, PCIEAERErr), VMSTATE_END_OF_LIST()
4) CVE-2013-4529 hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is too large There are two issues in this file: 1. log_max from remote can be larger than on local then buffer will overrun with data coming from state file. 2. log_num can be larger then we get data corruption again with an overflow but not adversary controlled. Fix both issues. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> --- hw/pci/pcie_aer.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)