[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 21/23] usb: sanity check setup_index+setup_len in po
From: |
Michael S. Tsirkin |
Subject: |
[Qemu-devel] [PATCH 21/23] usb: sanity check setup_index+setup_len in post_load |
Date: |
Tue, 3 Dec 2013 18:29:18 +0200 |
From: Gerd Hoffmann <address@hidden>
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked against data_buf size.
Signed-off-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
---
hw/usb/bus.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index ca329be..4ed1c3b 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -51,6 +51,10 @@ static int usb_device_post_load(void *opaque, int version_id)
dev->setup_len >= sizeof(dev->data_buf)) {
return -EINVAL;
}
+ if (dev->setup_index >= sizeof(dev->data_buf) ||
+ dev->setup_len >= sizeof(dev->data_buf)) {
+ return -EINVAL;
+ }
return 0;
}
--
MST
- Re: [Qemu-devel] [PATCH 15/23] pxa2xx: avoid buffer overrun on incoming migration, (continued)
- [Qemu-devel] [PATCH 16/23] virtio: validate num_sg when mapping, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 17/23] ssi-sd: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 18/23] ssd0323: fix buffer overun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 19/23] tsc210x: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 20/23] zaurus: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 21/23] usb: sanity check setup_index+setup_len in post_load,
Michael S. Tsirkin <=
- [Qemu-devel] [PATCH 11/23] stellaris_enet: avoid buffer overrun on incoming migration (part 2), Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 23/23] savevm: fix potential segfault on invalid state, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 22/23] virtio-scsi: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2013/12/03
- [Qemu-devel] [PATCH 04/23] virtio: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2013/12/03
- Re: [Qemu-devel] [PATCH 00/23] qemu state loading issues, Peter Maydell, 2013/12/03