aboutsummaryrefslogtreecommitdiff
path: root/ui/vnc-enc-tight.h
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2014-04-11 15:18:08 +0300
committerPeter Maydell <peter.maydell@linaro.org>2014-04-11 16:02:23 +0100
commitedc243851279e3393000b28b6b69454cae1190ef (patch)
tree1adfa99b1b7df53c830985e6020c573f0437510f /ui/vnc-enc-tight.h
parent21e2db72601c48fa593ef7187faf17f324d925c5 (diff)
virtio-net: fix guest-triggerable buffer overrun
When VM guest programs multicast addresses for a virtio net card, it supplies a 32 bit entries counter for the number of addresses. These addresses are read into tail portion of a fixed macs array which has size MAC_TABLE_ENTRIES, at offset equal to in_use. To avoid overflow of this array by guest, qemu attempts to test the size as follows: - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) { however, as mac_data.entries is uint32_t, this sum can overflow, e.g. if in_use is 1 and mac_data.entries is 0xffffffff then in_use + mac_data.entries will be 0. Qemu will then read guest supplied buffer into this memory, overflowing buffer on heap. CVE-2014-0150 Cc: qemu-stable@nongnu.org Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'ui/vnc-enc-tight.h')
0 files changed, 0 insertions, 0 deletions