render / rpms / qemu

Forked from rpms/qemu 10 months ago
Clone

Blame 0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch

70114f
From 95fa012ed61e1e8b88d701b8f75b38dc5edb16e2 Mon Sep 17 00:00:00 2001
70114f
From: "Michael S. Tsirkin" <mst@redhat.com>
70114f
Date: Thu, 3 Apr 2014 19:51:18 +0300
70114f
Subject: [PATCH] ahci: fix buffer overrun on invalid state load
70114f
70114f
CVE-2013-4526
70114f
70114f
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
70114f
we use the old version of ports to read the array but then allow any
70114f
value for ports.  This can cause the code to overflow.
70114f
70114f
There's no reason to migrate ports - it never changes.
70114f
So just make sure it matches.
70114f
70114f
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
70114f
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
70114f
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
70114f
Signed-off-by: Juan Quintela <quintela@redhat.com>
70114f
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
70114f
---
70114f
 hw/ide/ahci.c | 2 +-
70114f
 1 file changed, 1 insertion(+), 1 deletion(-)
70114f
70114f
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
70114f
index bfe633f..457a7a1 100644
70114f
--- a/hw/ide/ahci.c
70114f
+++ b/hw/ide/ahci.c
70114f
@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
70114f
         VMSTATE_UINT32(control_regs.impl, AHCIState),
70114f
         VMSTATE_UINT32(control_regs.version, AHCIState),
70114f
         VMSTATE_UINT32(idp_index, AHCIState),
70114f
-        VMSTATE_INT32(ports, AHCIState),
70114f
+        VMSTATE_INT32_EQUAL(ports, AHCIState),
70114f
         VMSTATE_END_OF_LIST()
70114f
     },
70114f
 };