From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41822) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vnsn2-00064N-Fw for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:25:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vnsmw-0006nl-HI for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:25:36 -0500 Date: Tue, 3 Dec 2013 18:28:59 +0200 From: "Michael S. Tsirkin" Message-ID: <1386087086-3691-15-git-send-email-mst@redhat.com> References: <1386087086-3691-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1386087086-3691-1-git-send-email-mst@redhat.com> Subject: [Qemu-devel] [PATCH 14/23] openpic: avoid buffer overrun on incoming migration List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Michael Roth From: Michael Roth CVE-2013-4534 opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire. Fix this by failing migration if the value read from the wire exceeds MAX_CPU. Signed-off-by: Michael Roth Signed-off-by: Michael S. Tsirkin --- hw/intc/openpic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c index 7df72f4..ab8c43d 100644 --- a/hw/intc/openpic.c +++ b/hw/intc/openpic.c @@ -1429,6 +1429,9 @@ static int openpic_load(QEMUFile* f, void *opaque, int version_id) qemu_get_be32s(f, &opp->tfrr); qemu_get_be32s(f, &opp->nb_cpus); + if (opp->nb_cpus > MAX_CPU) { + return -EINVAL; + } for (i = 0; i < opp->nb_cpus; i++) { qemu_get_sbe32s(f, &opp->dst[i].ctpr); -- MST