diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-04-03 19:51:42 +0300 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-06-26 14:15:02 -0500 |
| commit | 630ebeffb4a08f85db748b6908339a60fc213cae (patch) | |
| tree | 5d0a3e1af66f35470d00846cc956523552112f2f /savevm.c | |
| parent | a2b4e846b350f78fcb737195a40c5900923d5be8 (diff) | |
vmstate: fix buffer overflow in target-arm/machine.c
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropriately.
The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
Conflicts:
vmstate.c
*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'savevm.c')
| -rw-r--r-- | savevm.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -1111,8 +1111,9 @@ const VMStateInfo vmstate_info_int32_equal = { .put = put_int32, }; -/* 32 bit int. Check that the received value is less than or equal to - the one in the field */ +/* 32 bit int. Check that the received value is non-negative + * and less than or equal to the one in the field. + */ static int get_int32_le(QEMUFile *f, void *pv, size_t size) { @@ -1120,7 +1121,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size) int32_t loaded; qemu_get_sbe32s(f, &loaded); - if (loaded <= *cur) { + if (loaded >= 0 && loaded <= *cur) { *cur = loaded; return 0; } |