qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 20/23] zaurus: fix buffer overrun on invalid state l

From: Michael S. Tsirkin
Subject: [Qemu-devel] [PATCH 20/23] zaurus: fix buffer overrun on invalid state load
Date: Tue, 3 Dec 2013 18:29:16 +0200 
CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that does a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

To fix, limit to 16 bit.

Signed-off-by: Michael S. Tsirkin <address@hidden>
---
 hw/gpio/zaurus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c
index dc79a8b..f3b02c3 100644
--- a/hw/gpio/zaurus.c
+++ b/hw/gpio/zaurus.c
@@ -60,7 +60,7 @@ struct ScoopInfo {
 #define SCOOP_GPRR     0x28
 
 static inline void scoop_gpio_handler_update(ScoopInfo *s) {
-    uint32_t level, diff;
+    uint16_t level, diff;
     int bit;
     level = s->gpio_level & s->gpio_dir;
 
-- 
MST
reply via email to
[Prev in Thread] Current Thread [Next in Thread]