From a608c9c4150820ec64f5f25f6ebe244906c015da Mon Sep 17 00:00:00 2001

From: "Michael S. Tsirkin" <mst@redhat.com>

Date: Thu, 3 Apr 2014 19:52:25 +0300

Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as

size/offset into s->data_buf, it's possible for invalid state to exploit

this to load arbitrary data.

setup_len and setup_index should be checked to make sure

they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Juan Quintela <quintela@redhat.com>

(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)

---

 hw/usb/bus.c | 4 +++-

 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/usb/bus.c b/hw/usb/bus.c

index fe70429..e48b19f 100644

--- a/hw/usb/bus.c

+++ b/hw/usb/bus.c

@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)

     } else {

         dev->attached = 1;

     }

-    if (dev->setup_index >= sizeof(dev->data_buf) ||

+    if (dev->setup_index < 0 ||

+        dev->setup_len < 0 ||

+        dev->setup_index >= sizeof(dev->data_buf) ||

         dev->setup_len >= sizeof(dev->data_buf)) {

         return -EINVAL;

     }