From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47094) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WVkqw-00056B-07 for qemu-devel@nongnu.org; Thu, 03 Apr 2014 12:51:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WVkqn-0005UW-4I for qemu-devel@nongnu.org; Thu, 03 Apr 2014 12:50:57 -0400 Date: Thu, 3 Apr 2014 19:51:18 +0300 From: "Michael S. Tsirkin" Message-ID: <1396543778-22307-9-git-send-email-mst@redhat.com> References: <1396543778-22307-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1396543778-22307-1-git-send-email-mst@redhat.com> Subject: [Qemu-devel] [PATCH v5 08/24] ahci: fix buffer overrun on invalid state load List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Kevin Wolf , Peter Maydell , mdroth@linux.vnet.ibm.com, qemu-stable@nongnu.org, dgilbert@redhat.com, Anthony Liguori , Paolo Bonzini , =?us-ascii?B?PT9VVEYtOD9xP0FuZHJlYXM9MjBGPUMzPUE0cmJlcj89?= CVE-2013-4526 Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: Anthony Liguori Signed-off-by: Michael S. Tsirkin Reviewed-by: Peter Maydell --- hw/ide/ahci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c index bfe633f..457a7a1 100644 --- a/hw/ide/ahci.c +++ b/hw/ide/ahci.c @@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = { VMSTATE_UINT32(control_regs.impl, AHCIState), VMSTATE_UINT32(control_regs.version, AHCIState), VMSTATE_UINT32(idp_index, AHCIState), - VMSTATE_INT32(ports, AHCIState), + VMSTATE_INT32_EQUAL(ports, AHCIState), VMSTATE_END_OF_LIST() }, }; -- MST