Skip to content
Commit 48935f02 authored by Michael S. Tsirkin's avatar Michael S. Tsirkin Committed by Michael Roth
Browse files

virtio: out-of-bounds buffer write on invalid state load 



CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.

Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: default avatarMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: default avatarJuan Quintela <quintela@redhat.com>
(cherry picked from commit cc459952)
Signed-off-by: default avatarMichael Roth <mdroth@linux.vnet.ibm.com>
parent 34774450
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment