From patchwork Tue Dec 3 16:28:35 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Michael S. Tsirkin" X-Patchwork-Id: 296238 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 2E99C2C00A1 for ; Wed, 4 Dec 2013 03:27:57 +1100 (EST) Received: from localhost ([::1]:43365 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VnspG-0008Ig-Ni for incoming@patchwork.ozlabs.org; Tue, 03 Dec 2013 11:27:54 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41613) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vnsmd-0005IL-BB for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:25:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VnsmY-0006ft-MK for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:25:11 -0500 Received: from mx1.redhat.com ([209.132.183.28]:37093) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VnsmY-0006f0-Bb; Tue, 03 Dec 2013 11:25:06 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rB3GP4iF024195 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 3 Dec 2013 11:25:04 -0500 Received: from redhat.com ([10.35.213.190]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with SMTP id rB3GP2UE016934; Tue, 3 Dec 2013 11:25:02 -0500 Date: Tue, 3 Dec 2013 18:28:35 +0200 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org Message-ID: <1386087086-3691-6-git-send-email-mst@redhat.com> References: <1386087086-3691-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1386087086-3691-1-git-send-email-mst@redhat.com> X-Mutt-Fcc: =sent X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Kevin Wolf , qemu-stable@nongnu.org, Anthony Liguori Subject: [Qemu-devel] [PATCH 05/23] ahci: fix buffer overrun on invalid state load X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org CVE-2013-4526 Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: Anthony Liguori Signed-off-by: Michael S. Tsirkin --- hw/ide/ahci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c index fbea9e8..e321274 100644 --- a/hw/ide/ahci.c +++ b/hw/ide/ahci.c @@ -1290,7 +1290,7 @@ const VMStateDescription vmstate_ahci = { VMSTATE_UINT32(control_regs.impl, AHCIState), VMSTATE_UINT32(control_regs.version, AHCIState), VMSTATE_UINT32(idp_index, AHCIState), - VMSTATE_INT32(ports, AHCIState), + VMSTATE_INT32_EQUAL(ports, AHCIState), VMSTATE_END_OF_LIST() }, };