[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 051/156] tsc210x: fix buffer overrun on invalid stat
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load |
Date: |
Tue, 8 Jul 2014 12:17:22 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f)
Signed-off-by: Michael Roth <address@hidden>
---
hw/input/tsc210x.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c
index 485c9e5..aa5b688 100644
--- a/hw/input/tsc210x.c
+++ b/hw/input/tsc210x.c
@@ -1070,9 +1070,21 @@ static int tsc210x_load(QEMUFile *f, void *opaque, int
version_id)
s->enabled = qemu_get_byte(f);
s->host_mode = qemu_get_byte(f);
s->function = qemu_get_byte(f);
+ if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) {
+ return -EINVAL;
+ }
s->nextfunction = qemu_get_byte(f);
+ if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) {
+ return -EINVAL;
+ }
s->precision = qemu_get_byte(f);
+ if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) {
+ return -EINVAL;
+ }
s->nextprecision = qemu_get_byte(f);
+ if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) {
+ return -EINVAL;
+ }
s->filter = qemu_get_byte(f);
s->pin_func = qemu_get_byte(f);
s->ref = qemu_get_byte(f);
--
1.9.1
- [Qemu-devel] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check, (continued)
- [Qemu-devel] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 069/156] qemu-iotests: add ./check -cloop support, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load, Michael Roth, 2014/07/09
- [Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 113/156] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load,
Michael Roth <=
- [Qemu-devel] [PATCH 070/156] qemu-iotests: add cloop input validation tests, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 146/156] virtio-net: byteswap virtio-net header, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 004/156] s390x/virtio-hcall: Add range check for hypervisor call, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 010/156] tests: Fix 'make test' for i686 hosts (build regression), Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 012/156] mirror: fix throttling delay calculation, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 116/156] qcow1: Make padding in the header explicit, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 068/156] migration: catch unknown flags in ram_load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-devel] [PATCH 115/156] parallels: Sanity check for s->tracks (CVE-2014-0142), Michael Roth, 2014/07/10