Commit 9f8e9895 authored Apr 03, 2014 by Michael S. Tsirkin Committed by Juan Quintela May 05, 2014

usb: sanity check setup_index+setup_len in post_load



CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

parent 3476436a

hw/usb/bus.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
		} else {
		dev->attached = 1;
		}
		if (dev->setup_index >= sizeof(dev->data_buf) \|\|
		if (dev->setup_index < 0 \|\|
		dev->setup_len < 0 \|\|
		dev->setup_index >= sizeof(dev->data_buf) \|\|
		dev->setup_len >= sizeof(dev->data_buf)) {
		return -EINVAL;
		}