diff options
| author | Michael Roth | 2014-04-03 18:51:46 +0200 |
|---|---|---|
| committer | Juan Quintela | 2014-05-05 22:15:02 +0200 |
| commit | 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1 (patch) | |
| tree | 83beef3b93918cf372cc3c948398d59e18dea64a /hw/timer/imx_epit.c | |
| parent | vmstate: fix buffer overflow in target-arm/machine.c (diff) | |
| download | qemu-4b53c2c72cb5541cf394033b528a6fe2a86c0ac1.tar.gz qemu-4b53c2c72cb5541cf394033b528a6fe2a86c0ac1.tar.xz qemu-4b53c2c72cb5541cf394033b528a6fe2a86c0ac1.zip | |
virtio: avoid buffer overrun on incoming migration
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Diffstat (limited to 'hw/timer/imx_epit.c')
0 files changed, 0 insertions, 0 deletions