From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42034) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VnsnM-0006Gd-Ic for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:26:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VnsnG-0006sQ-8M for qemu-devel@nongnu.org; Tue, 03 Dec 2013 11:25:56 -0500 Date: Tue, 3 Dec 2013 18:29:18 +0200 From: "Michael S. Tsirkin" Message-ID: <1386087086-3691-22-git-send-email-mst@redhat.com> References: <1386087086-3691-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1386087086-3691-1-git-send-email-mst@redhat.com> Subject: [Qemu-devel] [PATCH 21/23] usb: sanity check setup_index+setup_len in post_load List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Gerd Hoffmann From: Gerd Hoffmann CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked against data_buf size. Signed-off-by: Gerd Hoffmann Signed-off-by: Michael S. Tsirkin --- hw/usb/bus.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/usb/bus.c b/hw/usb/bus.c index ca329be..4ed1c3b 100644 --- a/hw/usb/bus.c +++ b/hw/usb/bus.c @@ -51,6 +51,10 @@ static int usb_device_post_load(void *opaque, int version_id) dev->setup_len >= sizeof(dev->data_buf)) { return -EINVAL; } + if (dev->setup_index >= sizeof(dev->data_buf) || + dev->setup_len >= sizeof(dev->data_buf)) { + return -EINVAL; + } return 0; } -- MST