[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on in
From: |
Michael S. Tsirkin |
Subject: |
[Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3) |
Date: |
Mon, 31 Mar 2014 17:16:55 +0300 |
CVE-2013-4532
s->tx_frame_len is read from the wire and can later used as an index
into s->tx_fifo[] for memset() when a DATA command is issued by the guest.
In this case s->tx_frame_len is checked to avoid an overrun, but if the
value is negative a subsequently executed guest can underrun the buffer
with zeros via the memset() call.
Additionally, tx_frame_len is used to validate that tx_fifo_len
doesn't exceed the fifo bounds - the assumption being that data model
never makes it exceed 2032.
Fix this by failing migration if the incoming value of s->tx_frame_len
is less than -1 (the emulation code allows from -1 as a special case)
or if it exceeds 2032.
Reported-by: Michael Roth <address@hidden>
Reported-by: Peter Maydell <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
---
hw/net/stellaris_enet.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index aed00fd..90ff950 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -373,7 +373,11 @@ static int stellaris_enet_load(QEMUFile *f, void *opaque,
int version_id)
s->mtxd = qemu_get_be32(f);
s->mrxd = qemu_get_be32(f);
s->np = qemu_get_be32(f);
- s->tx_frame_len = qemu_get_be32(f);
+ v = qemu_get_be32(f);
+ if (v < -1 || s->tx_frame_len > 2032) {
+ return -EINVAL;
+ }
+ s->tx_frame_len = v;
v = qemu_get_be32(f);
/* How many bytes does data use in tx fifo. */
sz = s->tx_frame_len == -1 ? 2 : 4;
--
MST
- [Qemu-devel] [PATCH v4 07/30] virtio: out-of-bounds buffer write on invalid state load, (continued)
- [Qemu-devel] [PATCH v4 07/30] virtio: out-of-bounds buffer write on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 09/30] hpet: fix buffer overrun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 11/30] pl022: fix buffer overun on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 10/30] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 14/30] stellaris_enet: avoid buffer overrun on incoming migration (part 2), Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 15/30] stellaris_enet: avoid buffer orerrun on incoming migration (part 3),
Michael S. Tsirkin <=
- [Qemu-devel] [PATCH v4 16/30] virtio: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 17/30] openpic: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 18/30] virtio: validate num_sg when mapping, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 19/30] pxa2xx: avoid buffer overrun on incoming migration, Michael S. Tsirkin, 2014/03/31
- [Qemu-devel] [PATCH v4 21/30] ssd0323: fix buffer overun on invalid state load, Michael S. Tsirkin, 2014/03/31