From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54429) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WUfyd-0003mo-Va for qemu-devel@nongnu.org; Mon, 31 Mar 2014 13:26:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WUfyX-0006wx-Qy for qemu-devel@nongnu.org; Mon, 31 Mar 2014 13:26:27 -0400 From: Don Koch Date: Mon, 31 Mar 2014 13:26:16 -0400 Message-Id: <20140331132616.e750e03da193c1b160736efb@terremark.com> In-Reply-To: <1396275242-10810-20-git-send-email-mst@redhat.com> References: <1396275242-10810-1-git-send-email-mst@redhat.com> <1396275242-10810-20-git-send-email-mst@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v4 19/30] pxa2xx: avoid buffer overrun on incoming migration List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Michael S. Tsirkin" Cc: Peter Maydell , qemu-devel@nongnu.org, mdroth@linux.vnet.ibm.com, Don Koch , qemu-stable@nongnu.org, dgilbert@redhat.com On Mon, 31 Mar 2014 17:17:08 +0300 "Michael S. Tsirkin" wrote: > CVE-2013-4533 > > s->rx_level is read from the wire and used to determine how many bytes > to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the > length of s->rx_fifo[] the buffer can be overrun with arbitrary data > from the wire. > > Fix this by validating rx_level against the size of s->rx_fifo. > > Cc: Don Koch > Reported-by: Michael Roth > Signed-off-by: Michael S. Tsirkin Reviewed-by: Don Koch -d