qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 21/23] usb: sanity check setup_index+setup_len in po


From: Michael S. Tsirkin
Subject: [Qemu-devel] [PATCH 21/23] usb: sanity check setup_index+setup_len in post_load
Date: Tue, 3 Dec 2013 18:29:18 +0200

From: Gerd Hoffmann <address@hidden>

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked against data_buf size.

Signed-off-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
---
 hw/usb/bus.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index ca329be..4ed1c3b 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -51,6 +51,10 @@ static int usb_device_post_load(void *opaque, int version_id)
         dev->setup_len >= sizeof(dev->data_buf)) {
         return -EINVAL;
     }
+    if (dev->setup_index >= sizeof(dev->data_buf) ||
+        dev->setup_len >= sizeof(dev->data_buf)) {
+        return -EINVAL;
+    }
     return 0;
 }
 
-- 
MST




reply via email to

[Prev in Thread] Current Thread [Next in Thread]