From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47745) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WVkrt-0006lt-O3 for qemu-devel@nongnu.org; Thu, 03 Apr 2014 12:52:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WVkrn-0005ql-Jc for qemu-devel@nongnu.org; Thu, 03 Apr 2014 12:51:57 -0400 Date: Thu, 3 Apr 2014 19:52:25 +0300 From: "Michael S. Tsirkin" Message-ID: <1396543778-22307-24-git-send-email-mst@redhat.com> References: <1396543778-22307-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1396543778-22307-1-git-send-email-mst@redhat.com> Subject: [Qemu-devel] [PATCH v5 23/24] usb: sanity check setup_index+setup_len in post_load List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Peter Maydell , qemu-stable@nongnu.org, Gerd Hoffmann , dgilbert@redhat.com, mdroth@linux.vnet.ibm.com CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked to make sure they are not negative. Cc: Gerd Hoffmann Signed-off-by: Michael S. Tsirkin --- hw/usb/bus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/usb/bus.c b/hw/usb/bus.c index fe70429..e48b19f 100644 --- a/hw/usb/bus.c +++ b/hw/usb/bus.c @@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id) } else { dev->attached = 1; } - if (dev->setup_index >= sizeof(dev->data_buf) || + if (dev->setup_index < 0 || + dev->setup_len < 0 || + dev->setup_index >= sizeof(dev->data_buf) || dev->setup_len >= sizeof(dev->data_buf)) { return -EINVAL; } -- MST