aboutsummaryrefslogtreecommitdiff
path: root/hw/ide
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2014-04-03 19:51:18 +0300
committerJuan Quintela <quintela@redhat.com>2014-05-05 22:15:02 +0200
commitae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5 (patch)
treea18a6b4d8f9757771f9c8ad043750b4b20dd6e4a /hw/ide
parentcc45995294b92d95319b4782750a3580cabdbc0c (diff)
ahci: fix buffer overrun on invalid state load
CVE-2013-4526 Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
Diffstat (limited to 'hw/ide')
-rw-r--r--hw/ide/ahci.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 50327ffdf1..e57c5837d2 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
VMSTATE_UINT32(control_regs.impl, AHCIState),
VMSTATE_UINT32(control_regs.version, AHCIState),
VMSTATE_UINT32(idp_index, AHCIState),
- VMSTATE_INT32(ports, AHCIState),
+ VMSTATE_INT32_EQUAL(ports, AHCIState),
VMSTATE_END_OF_LIST()
},
};