aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2014-04-28 16:08:23 +0300
committerJuan Quintela <quintela@redhat.com>2014-05-05 22:15:03 +0200
commita890a2f9137ac3cf5b607649e66a6f3a5512d8dc (patch)
treef2556f0707b771bb328990b803c2a660dec88faa
parent98f93ddd84800f207889491e0b5d851386b459cf (diff)
virtio: validate config_len on load
Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: Juan Quintela <quintela@redhat.com>
-rw-r--r--hw/virtio/virtio.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index a70169af07..7f4e7eca0e 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
int i, ret;
+ int32_t config_len;
uint32_t num;
uint32_t features;
uint32_t supported_features;
@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
features, supported_features);
return -1;
}
- vdev->config_len = qemu_get_be32(f);
+ config_len = qemu_get_be32(f);
+ if (config_len != vdev->config_len) {
+ error_report("Unexpected config length 0x%x. Expected 0x%zx",
+ config_len, vdev->config_len);
+ return -1;
+ }
qemu_get_buffer(f, vdev->config, vdev->config_len);
num = qemu_get_be32(f);