Commit 802cbcb7 authored by Prasad J Pandit's avatar Prasad J Pandit Committed by Gerd Hoffmann
Browse files

ps2: check PS2Queue pointers in post_load routine 



During Qemu guest migration, a destination process invokes ps2
post_load function. In that, if 'rptr' and 'count' values were
invalid, it could lead to OOB access or infinite loop issue.
Add check to avoid it.

Reported-by: default avatarCyrille Chatras <cyrille.chatras@orange.com>
Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Message-id: 20171116075155.22378-1-ppandit@redhat.com
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent a5f99be4

hw/input/ps2.c

+9 −12
Original line number Diff line number Diff line
@@ -1225,24 +1225,21 @@ static void ps2_common_reset(PS2State *s) 
static void ps2_common_post_load(PS2State *s)

{

    PS2Queue *q = &s->queue;

    int size;

    int i;

    int tmp_data[PS2_QUEUE_SIZE];

    uint8_t i, size;

    uint8_t tmp_data[PS2_QUEUE_SIZE];



    /* set the useful data buffer queue size, < PS2_QUEUE_SIZE */

    size = q->count > PS2_QUEUE_SIZE ? 0 : q->count;

    size = (q->count < 0 || q->count > PS2_QUEUE_SIZE) ? 0 : q->count;



    /* move the queue elements to the start of data array */

    if (size > 0) {

    for (i = 0; i < size; i++) {

            /* move the queue elements to the temporary buffer */

            tmp_data[i] = q->data[q->rptr];

            if (++q->rptr == 256) {

        if (q->rptr < 0 || q->rptr >= sizeof(q->data)) {

            q->rptr = 0;

        }

        tmp_data[i] = q->data[q->rptr++];

    }

    memcpy(q->data, tmp_data, size);

    }



    /* reset rptr/wptr/count */

    q->rptr = 0;

    q->wptr = size;