From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41780) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WUd14-0000XL-Ew for qemu-devel@nongnu.org; Mon, 31 Mar 2014 10:16:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WUd0y-0000gr-6D for qemu-devel@nongnu.org; Mon, 31 Mar 2014 10:16:46 -0400 Date: Mon, 31 Mar 2014 17:17:01 +0300 From: "Michael S. Tsirkin" Message-ID: <1396275242-10810-18-git-send-email-mst@redhat.com> References: <1396275242-10810-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1396275242-10810-1-git-send-email-mst@redhat.com> Subject: [Qemu-devel] [PATCH v4 17/30] openpic: avoid buffer overrun on incoming migration List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Peter Crosthwaite , mdroth@linux.vnet.ibm.com, qemu-stable@nongnu.org, Alexander Graf , Paolo Bonzini , =?us-ascii?B?PT9VVEYtOD9xP0FuZHJlYXM9MjBGPUMzPUE0cmJlcj89?= , dgilbert@redhat.com From: Michael Roth CVE-2013-4534 opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire. Fix this by failing migration if the value read from the wire exceeds MAX_CPU. Signed-off-by: Michael Roth Signed-off-by: Michael S. Tsirkin --- hw/intc/openpic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c index be76fbd..8cb16da 100644 --- a/hw/intc/openpic.c +++ b/hw/intc/openpic.c @@ -1429,6 +1429,9 @@ static int openpic_load(QEMUFile* f, void *opaque, int version_id) qemu_get_be32s(f, &opp->tfrr); qemu_get_be32s(f, &opp->nb_cpus); + if (opp->nb_cpus > MAX_CPU) { + return -EINVAL; + } for (i = 0; i < opp->nb_cpus; i++) { qemu_get_sbe32s(f, &opp->dst[i].ctpr); -- MST