Re: [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target

From:	Michael S. Tsirkin
Subject:	Re: [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c
Date:	Tue, 1 Apr 2014 18:12:52 +0300

On Mon, Mar 31, 2014 at 04:40:41PM +0100, Peter Maydell wrote:
> On 31 March 2014 15:16, Michael S. Tsirkin <address@hidden> wrote:
> > CVE-2013-4531
> >
> > cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
> > cpreg_vmstate_array_len will cause a buffer overflow.
> >
> > VMSTATE_INT32_LE was supposed to protect against this
> > but doesn't because it doesn't validate that input is
> > non-negative.
> >
> > Fix this macro to valide the value appropriately.
> >
> > The only other user of VMSTATE_INT32_LE doesn't
> > ever use negative numbers so it doesn't care.
> 
> This fixes the bug, but it's rather unintuitive semantics
> for an INT32_LE not to simply do a signed comparison...
> Maybe rename the macro?
> 
> thanks
> -- PMM

Sure. I'll do it in a separate patch though.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c, Michael S. Tsirkin <=

Prev by Date: Re: [Qemu-devel] [PATCH/RFC] KVM: s390: Add S390 configuration and control kvm device
Next by Date: Re: [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration
Previous by thread: Re: [Qemu-devel] networking stalls in the guest -- backlog in the host
Next by thread: Re: [Qemu-devel] [PATCH v4 13/30] stellaris_enet: avoid buffer overrun on incoming migration
Index(es):
- Date
- Thread