From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42042) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WUd1Z-0001VU-54 for qemu-devel@nongnu.org; Mon, 31 Mar 2014 10:17:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WUd1Q-0000nd-MS for qemu-devel@nongnu.org; Mon, 31 Mar 2014 10:17:17 -0400 Date: Mon, 31 Mar 2014 17:17:33 +0300 From: "Michael S. Tsirkin" Message-ID: <1396275242-10810-25-git-send-email-mst@redhat.com> References: <1396275242-10810-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1396275242-10810-1-git-send-email-mst@redhat.com> Subject: [Qemu-devel] [PATCH v4 24/30] usb: sanity check setup_index+setup_len in post_load List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Gerd Hoffmann , dgilbert@redhat.com, mdroth@linux.vnet.ibm.com From: Gerd Hoffmann CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked against data_buf size. Signed-off-by: Gerd Hoffmann Signed-off-by: Michael S. Tsirkin --- hw/usb/bus.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/usb/bus.c b/hw/usb/bus.c index fe70429..8052bf1 100644 --- a/hw/usb/bus.c +++ b/hw/usb/bus.c @@ -53,6 +53,10 @@ static int usb_device_post_load(void *opaque, int version_id) dev->setup_len >= sizeof(dev->data_buf)) { return -EINVAL; } + if (dev->setup_index >= sizeof(dev->data_buf) || + dev->setup_len >= sizeof(dev->data_buf)) { + return -EINVAL; + } return 0; } -- MST