From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:47825)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alevy@redhat.com>) id 1RVK7L-0004fP-Qj
	for qemu-devel@nongnu.org; Tue, 29 Nov 2011 04:36:48 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alevy@redhat.com>) id 1RVK7G-0007c6-4L
	for qemu-devel@nongnu.org; Tue, 29 Nov 2011 04:36:47 -0500
Received: from mx1.redhat.com ([209.132.183.28]:41993)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alevy@redhat.com>) id 1RVK7F-0007bp-Ti
	for qemu-devel@nongnu.org; Tue, 29 Nov 2011 04:36:42 -0500
Date: Tue, 29 Nov 2011 11:36:34 +0200
From: Alon Levy <alevy@redhat.com>
Message-ID: <20111129093634.GA7747@garlic.tlv.redhat.com>
References: <1322508457-25520-1-git-send-email-armbru@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1322508457-25520-1-git-send-email-armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] ccid: Fix buffer overrun in handling of
	VSC_ATR message
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: anthony@codemonkey.ws
Cc: qemu-devel@nongnu.org, Markus Armbruster <armbru@redhat.com>

On Mon, Nov 28, 2011 at 08:27:37PM +0100, Markus Armbruster wrote:
> ATR size exceeding the limit is diagnosed, but then we merrily use it
> anyway, overrunning card->atr[].
> 
> The message is read from a character device.  Obvious security
> implications unless the other end of the character device is trusted.
> 
> Spotted by Coverity.  CVE-2011-4111.
> 

Anthony, do you want me to do a pull request for this or can you merge
it as is?

Alon

> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
>  hw/ccid-card-passthru.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
> index 2cbc81b..9f51c6c 100644
> --- a/hw/ccid-card-passthru.c
> +++ b/hw/ccid-card-passthru.c
> @@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
>              error_report("ATR size exceeds spec, ignoring");
>              ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
>                                          VSC_GENERAL_ERROR);
> +            break;
>          }
>          memcpy(card->atr, data, scr_msg_header->length);
>          card->atr_length = scr_msg_header->length;
> -- 
> 1.7.6.4
>