From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41752) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vnsms-0005lz-3v for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:25:30 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vnsmm-0006kX-B7 for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:25:26 -0500 Date: Tue, 3 Dec 2013 18:28:45 +0200 From: "Michael S. Tsirkin" Message-ID: <1386087086-3691-10-git-send-email-mst@redhat.com> References: <1386087086-3691-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1386087086-3691-1-git-send-email-mst@redhat.com> Subject: [Qemu-devel] [PATCH 09/23] target-arm/machine.c: fix buffer overflow on invalid state load List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Peter Maydell , qemu-stable@nongnu.org, Anthony Liguori CVE-2013-4531 cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for cpreg_vmstate_array_len will cause a buffer overflow. Reported-by: Anthony Liguori Signed-off-by: Michael S. Tsirkin --- target-arm/machine.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target-arm/machine.c b/target-arm/machine.c index 74f010f..d46b7e8 100644 --- a/target-arm/machine.c +++ b/target-arm/machine.c @@ -178,6 +178,10 @@ static int cpu_post_load(void *opaque, int version_id) ARMCPU *cpu = opaque; int i, v; + if (cpu->cpreg_vmstate_array_len < 0) { + return -1; + } + /* Update the values list from the incoming migration data. * Anything in the incoming data which we don't know about is * a migration failure; anything we know about but the incoming -- MST