From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41514) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WV0Mw-0007EZ-Ow for qemu-devel@nongnu.org; Tue, 01 Apr 2014 11:13:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WV0Mq-0001PA-Hy for qemu-devel@nongnu.org; Tue, 01 Apr 2014 11:12:54 -0400 Date: Tue, 1 Apr 2014 18:12:52 +0300 From: "Michael S. Tsirkin" Message-ID: <20140401151252.GA9260@redhat.com> References: <1396275242-10810-1-git-send-email-mst@redhat.com> <1396275242-10810-13-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [Qemu-devel] [PATCH v4 12/30] vmstate: fix buffer overflow in target-arm/machine.c List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Maydell Cc: Michael Roth , Juan Quintela , Alexey Kardashevskiy , qemu-stable , QEMU Developers , Anthony Liguori , Andreas =?iso-8859-1?Q?F=E4rber?= , Dave Gilbert On Mon, Mar 31, 2014 at 04:40:41PM +0100, Peter Maydell wrote: > On 31 March 2014 15:16, Michael S. Tsirkin wrote: > > CVE-2013-4531 > > > > cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for > > cpreg_vmstate_array_len will cause a buffer overflow. > > > > VMSTATE_INT32_LE was supposed to protect against this > > but doesn't because it doesn't validate that input is > > non-negative. > > > > Fix this macro to valide the value appropriately. > > > > The only other user of VMSTATE_INT32_LE doesn't > > ever use negative numbers so it doesn't care. > > This fixes the bug, but it's rather unintuitive semantics > for an INT32_LE not to simply do a signed comparison... > Maybe rename the macro? > > thanks > -- PMM Sure. I'll do it in a separate patch though.