[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 039/156] ahci: fix buffer overrun on invalid state
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 039/156] ahci: fix buffer overrun on invalid state load |
|
Date: |
Tue, 8 Jul 2014 12:17:10 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
Signed-off-by: Michael Roth <address@hidden>
---
hw/ide/ahci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index fbea9e8..e321274 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1290,7 +1290,7 @@ const VMStateDescription vmstate_ahci = {
VMSTATE_UINT32(control_regs.impl, AHCIState),
VMSTATE_UINT32(control_regs.version, AHCIState),
VMSTATE_UINT32(idp_index, AHCIState),
- VMSTATE_INT32(ports, AHCIState),
+ VMSTATE_INT32_EQUAL(ports, AHCIState),
VMSTATE_END_OF_LIST()
},
};
--
1.9.1
- [Qemu-stable] [PATCH 025/156] s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG, (continued)
- [Qemu-stable] [PATCH 025/156] s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 024/156] s390x/helper: Added format control bit to MMU translation, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 003/156] block/iscsi: fix deadlock on scsi check condition, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 023/156] block: Use BDRV_O_NO_BACKING where appropriate, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 029/156] vmxnet3: validate queues configuration coming from guest, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 027/156] acpi: fix tables for no-hpet configuration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 006/156] target-i386: Fix ucomis and comis memory access, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 030/156] vmxnet3: validate interrupt indices read on migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 031/156] vmxnet3: validate queues configuration read on migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 028/156] vmxnet3: validate interrupt indices coming from guest, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 039/156] ahci: fix buffer overrun on invalid state load,
Michael Roth <=
- [Qemu-stable] [PATCH 033/156] vmstate: add VMS_MUST_EXIST, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 035/156] virtio-net: fix buffer overflow on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 032/156] vmstate: reduce code duplication, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 037/156] virtio-net: out-of-bounds buffer write on load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 038/156] virtio: out-of-bounds buffer write on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 034/156] vmstate: add VMSTATE_VALIDATE, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 040/156] hpet: fix buffer overrun on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming migration, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 036/156] virtio-net: out-of-bounds buffer write on invalid state load, Michael Roth, 2014/07/08
- [Qemu-stable] [PATCH 041/156] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael Roth, 2014/07/08