Commit 52f91c37 authored by Michael S. Tsirkin's avatar Michael S. Tsirkin Committed by Juan Quintela
Browse files

zaurus: fix buffer overrun on invalid state load 



CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

Similarly for gpio_level and gpio_dir.

To fix, limit to 16 bit.

Reported-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: default avatarDr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: default avatarJuan Quintela <quintela@redhat.com>
parent 5193be3b

hw/gpio/zaurus.c

+10 −0
Original line number Diff line number Diff line
@@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, int version_id) 
    return version_id == 0;

}



static bool vmstate_scoop_validate(void *opaque, int version_id)

{

    ScoopInfo *s = opaque;



    return !(s->prev_level & 0xffff0000) &&

        !(s->gpio_level & 0xffff0000) &&

        !(s->gpio_dir & 0xffff0000);

}



static const VMStateDescription vmstate_scoop_regs = {

    .name = "scoop",

    .version_id = 1,
@@ -215,6 +224,7 @@ static const VMStateDescription vmstate_scoop_regs = { 
        VMSTATE_UINT32(gpio_level, ScoopInfo),

        VMSTATE_UINT32(gpio_dir, ScoopInfo),

        VMSTATE_UINT32(prev_level, ScoopInfo),

        VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate),

        VMSTATE_UINT16(mcr, ScoopInfo),

        VMSTATE_UINT16(cdr, ScoopInfo),

        VMSTATE_UINT16(ccr, ScoopInfo),