[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH stable-0.15 01/36] ccid: Fix buffer overrun in handl
From: |
Andreas Färber |
Subject: |
[Qemu-devel] [PATCH stable-0.15 01/36] ccid: Fix buffer overrun in handling of VSC_ATR message |
Date: |
Wed, 28 Mar 2012 14:52:04 +0200 |
From: Markus Armbruster <address@hidden>
ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].
The message is read from a character device. Obvious security
implications unless the other end of the character device is trusted.
Spotted by Coverity. CVE-2011-4111.
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Anthony Liguori <address@hidden>
(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)
Signed-off-by: Bruce Rogers <address@hidden>
[AF: Fixes BNC#731086.]
Signed-off-by: Andreas Färber <address@hidden>
---
hw/ccid-card-passthru.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
index 28eb9d1..0505663 100644
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState
*card,
error_report("ATR size exceeds spec, ignoring");
ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
VSC_GENERAL_ERROR);
+ break;
}
memcpy(card->atr, data, scr_msg_header->length);
card->atr_length = scr_msg_header->length;
--
1.7.7
- [Qemu-devel] [PATCH stable-0.15 00/36] Preparing 0.15.2, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 01/36] ccid: Fix buffer overrun in handling of VSC_ATR message,
Andreas Färber <=
- [Qemu-devel] [PATCH stable-0.15 13/36] Fix X86 CPU topology in KVM mode, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 07/36] kvm: avoid reentring kvm_flush_coalesced_mmio_buffer(), Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 10/36] ide: Fix off-by-one error in array index check, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 11/36] acl: Fix use after free in qemu_acl_reset(), Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 09/36] block: Fix bdrv_open use after free, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 35/36] Add missing trace call to oslib-posix.c:qemu_vmalloc(), Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 03/36] e1000: use MII status register for link up/down, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 02/36] qdev: Reset hot-plugged devices, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 04/36] e1000: Don't set the Capabilities List bit, Andreas Färber, 2012/03/28
- [Qemu-devel] [PATCH stable-0.15 16/36] vvfat: Fix potential buffer overflow, Andreas Färber, 2012/03/28