[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 055/156] usb: sanity check setup_index+setup_len in
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 055/156] usb: sanity check setup_index+setup_len in post_load |
Date: |
Tue, 8 Jul 2014 12:17:26 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
Signed-off-by: Michael Roth <address@hidden>
---
hw/usb/bus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index ca329be..53c85fe 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -47,7 +47,9 @@ static int usb_device_post_load(void *opaque, int version_id)
} else {
dev->attached = 1;
}
- if (dev->setup_index >= sizeof(dev->data_buf) ||
+ if (dev->setup_index < 0 ||
+ dev->setup_len < 0 ||
+ dev->setup_index >= sizeof(dev->data_buf) ||
dev->setup_len >= sizeof(dev->data_buf)) {
return -EINVAL;
}
--
1.9.1
- [Qemu-stable] [PATCH 040/156] hpet: fix buffer overrun on invalid state load, (continued)
- [Qemu-stable] [PATCH 040/156] hpet: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 036/156] virtio-net: out-of-bounds buffer write on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 041/156] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 045/156] virtio: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 046/156] openpic: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 044/156] vmstate: fix buffer overflow in target-arm/machine.c, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 043/156] Fix vmstate_info_int32_le comparison/assign, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 054/156] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 056/156] savevm: Ignore minimum_version_id_old if there is no load_state_old, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 055/156] usb: sanity check setup_index+setup_len in post_load,
Michael Roth <=
- [Qemu-stable] [PATCH 059/156] target-i386: fix set of registers zeroed on reset, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 060/156] target-arm: Make vbar_write 64bit friendly on 32bit hosts, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 064/156] spapr_pci: Fix number of returned vectors in ibm, change-msi, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 065/156] pci-assign: limit # of msix vectors, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 062/156] linux-user/elfload.c: Update ARM HWCAP bits, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 063/156] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144), Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 075/156] block/cloop: fix offsets[] size off-by-one, Michael Roth, 2014/07/08