Commit caa881ab authored Apr 03, 2014 by Michael S. Tsirkin Committed by Juan Quintela May 05, 2014

pxa2xx: avoid buffer overrun on incoming migration



CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

parent 36cf2a37

hw/arm/pxa2xx.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -732,7 +732,7 @@ static void pxa2xx_ssp_save(QEMUFile f, void opaque)
		static int pxa2xx_ssp_load(QEMUFile f, void opaque, int version_id)
		{
		PXA2xxSSPState s = (PXA2xxSSPState ) opaque;
		int i;
		int i, v;

		s->enable = qemu_get_be32(f);

		@@ -746,7 +746,11 @@ static int pxa2xx_ssp_load(QEMUFile f, void opaque, int version_id)
		qemu_get_8s(f, &s->ssrsa);
		qemu_get_8s(f, &s->ssacd);

		s->rx_level = qemu_get_byte(f);
		v = qemu_get_byte(f);
		if (v < 0 \|\| v > ARRAY_SIZE(s->rx_fifo)) {
		return -EINVAL;
		}
		s->rx_level = v;
		s->rx_start = 0;
		for (i = 0; i < s->rx_level; i ++)
		s->rx_fifo[i] = qemu_get_byte(f);