diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-04-28 16:08:23 +0300 |
|---|---|---|
| committer | Juan Quintela <quintela@redhat.com> | 2014-05-05 22:15:03 +0200 |
| commit | a890a2f9137ac3cf5b607649e66a6f3a5512d8dc (patch) | |
| tree | f2556f0707b771bb328990b803c2a660dec88faa | |
| parent | 98f93ddd84800f207889491e0b5d851386b459cf (diff) | |
| download | focaccia-qemu-a890a2f9137ac3cf5b607649e66a6f3a5512d8dc.tar.gz focaccia-qemu-a890a2f9137ac3cf5b607649e66a6f3a5512d8dc.zip | |
virtio: validate config_len on load
Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: Juan Quintela <quintela@redhat.com>
| -rw-r--r-- | hw/virtio/virtio.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index a70169af07..7f4e7eca0e 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) int virtio_load(VirtIODevice *vdev, QEMUFile *f) { int i, ret; + int32_t config_len; uint32_t num; uint32_t features; uint32_t supported_features; @@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) features, supported_features); return -1; } - vdev->config_len = qemu_get_be32(f); + config_len = qemu_get_be32(f); + if (config_len != vdev->config_len) { + error_report("Unexpected config length 0x%x. Expected 0x%zx", + config_len, vdev->config_len); + return -1; + } qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f); |