All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Juan Quintela <quintela@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
	"Liu Ping Fan" <pingfank@linux.vnet.ibm.com>,
	mdroth@linux.vnet.ibm.com,
	"Markus Armbruster" <armbru@redhat.com>,
	qemu-stable@nongnu.org, qemu-devel@nongnu.org,
	"Anthony Liguori" <anthony@codemonkey.ws>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	=?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>,
	dgilbert@redhat.com
Subject: Re: [Qemu-devel] [PATCH v5 09/24] hpet: fix buffer overrun on invalid state load
Date: Fri, 4 Apr 2014 17:47:39 +0300	[thread overview]
Message-ID: <20140404144739.GA31943@redhat.com> (raw)
In-Reply-To: <877g758ls7.fsf@elfo.mitica>

On Fri, Apr 04, 2014 at 11:51:52AM +0200, Juan Quintela wrote:
> "Michael S. Tsirkin" <mst@redhat.com> wrote:
> > CVE-2013-4527 hw/timer/hpet.c buffer overrun
> >
> > hpet is a VARRAY with a uint8 size but static array of 32
> >
> > To fix, make sure num_timers is valid using VMSTATE_VALID hook.
> >
> > Reported-by: Anthony Liguori <anthony@codemonkey.ws>
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> 
> 
> Ok, seing what you want to do with VMSTATE_VALIDATE.

It does not seem clean to add a callback that is only
be used with a single type.

> Much better solution is add a ->validate() field, and use it in the
> equivalent of LESS_EQUAL and rest of tests.
> 
> Will sent a patch.
> 
> Later, Juan.

I think it's better to stick to plain C, extending macros like
LESS_EQUAL is too tricky, vmstate is already full ugly one-off macros.

> > ---
> >  hw/timer/hpet.c | 13 +++++++++++++
> >  1 file changed, 13 insertions(+)
> >
> > diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
> > index e15d6bc..2792f89 100644
> > --- a/hw/timer/hpet.c
> > +++ b/hw/timer/hpet.c
> > @@ -239,6 +239,18 @@ static int hpet_pre_load(void *opaque)
> >      return 0;
> >  }
> >  
> > +static bool hpet_validate_num_timers(void *opaque, int version_id)
> > +{
> > +    HPETState *s = opaque;
> > +
> > +    if (s->num_timers < HPET_MIN_TIMERS) {
> > +        return false;
> > +    } else if (s->num_timers > HPET_MAX_TIMERS) {
> > +        return false;
> > +    }
> > +    return true;
> > +}
> > +
> >  static int hpet_post_load(void *opaque, int version_id)
> >  {
> >      HPETState *s = opaque;
> > @@ -307,6 +319,7 @@ static const VMStateDescription vmstate_hpet = {
> >          VMSTATE_UINT64(isr, HPETState),
> >          VMSTATE_UINT64(hpet_counter, HPETState),
> >          VMSTATE_UINT8_V(num_timers, HPETState, 2),
> > +        VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
> >          VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
> >                                      vmstate_hpet_timer, HPETTimer),
> >          VMSTATE_END_OF_LIST()

  reply	other threads:[~2014-04-04 14:47 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-03 16:50 [Qemu-devel] [PATCH v5 00/24] qemu state loading issues Michael S. Tsirkin
2014-04-03 16:50 ` [Qemu-devel] [PATCH v5 01/24] vmstate: reduce code duplication Michael S. Tsirkin
2014-04-04  9:37   ` Juan Quintela
2014-04-03 16:50 ` [Qemu-devel] [PATCH v5 03/24] vmstate: add VMSTATE_VALIDATE Michael S. Tsirkin
2014-04-03 16:50 ` [Qemu-devel] [PATCH v5 04/24] virtio-net: fix buffer overflow on invalid state load Michael S. Tsirkin
2014-04-03 16:50 ` [Qemu-devel] [PATCH v5 05/24] virtio-net: out-of-bounds buffer write on load Michael S. Tsirkin
2014-04-03 17:26   ` Peter Maydell
2014-04-03 16:50 ` [Qemu-devel] [PATCH v5 06/24] virtio-net: out-of-bounds buffer write on invalid state load Michael S. Tsirkin
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 07/24] virtio: " Michael S. Tsirkin
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 08/24] ahci: fix buffer overrun " Michael S. Tsirkin
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 09/24] hpet: " Michael S. Tsirkin
2014-04-04  9:51   ` Juan Quintela
2014-04-04 14:47     ` Michael S. Tsirkin [this message]
2014-04-04 15:04       ` Michael S. Tsirkin
2014-04-04 15:11         ` Michael S. Tsirkin
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 10/24] hw/pci/pcie_aer.c: fix buffer overruns " Michael S. Tsirkin
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 11/24] pl022: fix buffer overun " Michael S. Tsirkin
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 12/24] vmstate: fix buffer overflow in target-arm/machine.c Michael S. Tsirkin
2014-04-04  9:43   ` Juan Quintela
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 13/24] virtio: avoid buffer overrun on incoming migration Michael S. Tsirkin
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 14/24] openpic: " Michael S. Tsirkin
2014-04-03 18:04   ` Alexander Graf
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 15/24] virtio: validate num_sg when mapping Michael S. Tsirkin
2014-04-03 16:51 ` [Qemu-devel] [PATCH v5 16/24] pxa2xx: avoid buffer overrun on incoming migration Michael S. Tsirkin
2014-04-03 16:52 ` [Qemu-devel] [PATCH v5 17/24] ssi-sd: fix buffer overrun on invalid state load Michael S. Tsirkin
2014-04-03 17:05   ` Peter Maydell
2014-04-03 17:51     ` Michael S. Tsirkin
2014-04-03 16:52 ` [Qemu-devel] [PATCH v5 18/24] ssd0323: fix buffer overun " Michael S. Tsirkin
2014-04-03 17:13   ` Peter Maydell
2014-04-03 16:52 ` [Qemu-devel] [PATCH v5 19/24] tsc210x: fix buffer overrun " Michael S. Tsirkin
2014-04-03 16:52 ` [Qemu-devel] [PATCH v5 20/24] zaurus: " Michael S. Tsirkin
2014-04-03 16:52 ` [Qemu-devel] [PATCH v5 21/24] virtio-scsi: " Michael S. Tsirkin
2014-04-03 16:52 ` [Qemu-devel] [PATCH v5 22/24] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ Michael S. Tsirkin
2014-04-04  9:43   ` Juan Quintela
2014-04-03 16:52 ` [Qemu-devel] [PATCH v5 23/24] usb: sanity check setup_index+setup_len in post_load Michael S. Tsirkin
2014-04-07  7:14   ` Gerd Hoffmann
2014-04-03 16:52 ` [Qemu-devel] [PATCH v5 24/24] savevm: Ignore minimum_version_id_old if there is no load_state_old Michael S. Tsirkin
2014-04-04  9:45   ` Juan Quintela
     [not found] ` <1396543778-22307-3-git-send-email-mst@redhat.com>
2014-04-04  9:41   ` [Qemu-devel] [PATCH v5 02/24] vmstate: add VMS_MUST_EXIST Juan Quintela
2014-04-04  9:54     ` Dr. David Alan Gilbert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140404144739.GA31943@redhat.com \
    --to=mst@redhat.com \
    --cc=afaerber@suse.de \
    --cc=anthony@codemonkey.ws \
    --cc=armbru@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=mdroth@linux.vnet.ibm.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=pingfank@linux.vnet.ibm.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    --cc=quintela@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.