From patchwork Mon May 5 20:30:12 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juan Quintela X-Patchwork-Id: 345889 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id E0AB7140190 for ; Tue, 6 May 2014 06:34:05 +1000 (EST) Received: from localhost ([::1]:59556 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WhPaN-0004sB-RA for incoming@patchwork.ozlabs.org; Mon, 05 May 2014 16:34:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56560) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WhPXc-00074P-5x for qemu-devel@nongnu.org; Mon, 05 May 2014 16:31:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WhPXY-0000wE-1d for qemu-devel@nongnu.org; Mon, 05 May 2014 16:31:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:17789) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WhPXX-0000w2-RO for qemu-devel@nongnu.org; Mon, 05 May 2014 16:31:07 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s45KV7uw029383 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 5 May 2014 16:31:07 -0400 Received: from trasno.mitica (ovpn-116-105.ams2.redhat.com [10.36.116.105]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s45KUYEk008860; Mon, 5 May 2014 16:31:05 -0400 From: Juan Quintela To: qemu-devel@nongnu.org Date: Mon, 5 May 2014 22:30:12 +0200 Message-Id: <1399321834-31310-15-git-send-email-quintela@redhat.com> In-Reply-To: <1399321834-31310-1-git-send-email-quintela@redhat.com> References: <1399321834-31310-1-git-send-email-quintela@redhat.com> X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Don Koch , "Michael S. Tsirkin" Subject: [Qemu-devel] [PATCH 14/36] pxa2xx: avoid buffer overrun on incoming migration X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: "Michael S. Tsirkin" CVE-2013-4533 s->rx_level is read from the wire and used to determine how many bytes to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the length of s->rx_fifo[] the buffer can be overrun with arbitrary data from the wire. Fix this by validating rx_level against the size of s->rx_fifo. Cc: Don Koch Reported-by: Michael Roth Signed-off-by: Michael S. Tsirkin Reviewed-by: Peter Maydell Reviewed-by: Don Koch Signed-off-by: Juan Quintela --- hw/arm/pxa2xx.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c index 0429148..e0cd847 100644 --- a/hw/arm/pxa2xx.c +++ b/hw/arm/pxa2xx.c @@ -732,7 +732,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, void *opaque) static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) { PXA2xxSSPState *s = (PXA2xxSSPState *) opaque; - int i; + int i, v; s->enable = qemu_get_be32(f); @@ -746,7 +746,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) qemu_get_8s(f, &s->ssrsa); qemu_get_8s(f, &s->ssacd); - s->rx_level = qemu_get_byte(f); + v = qemu_get_byte(f); + if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) { + return -EINVAL; + } + s->rx_level = v; s->rx_start = 0; for (i = 0; i < s->rx_level; i ++) s->rx_fifo[i] = qemu_get_byte(f);