aboutsummaryrefslogtreecommitdiff
path: root/vmstate.c
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2014-04-03 19:51:42 +0300
committerJuan Quintela <quintela@redhat.com>2014-05-05 22:15:02 +0200
commitd2ef4b61fe6d33d2a5dcf100a9b9440de341ad62 (patch)
tree2804cfea3f62670d6be57eb102ad929f0a843581 /vmstate.c
parentd8d0a0bc7e194300e53a346d25fe5724fd588387 (diff)
vmstate: fix buffer overflow in target-arm/machine.c
CVE-2013-4531 cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for cpreg_vmstate_array_len will cause a buffer overflow. VMSTATE_INT32_LE was supposed to protect against this but doesn't because it doesn't validate that input is non-negative. Fix this macro to valide the value appropriately. The only other user of VMSTATE_INT32_LE doesn't ever use negative numbers so it doesn't care. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
Diffstat (limited to 'vmstate.c')
-rw-r--r--vmstate.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/vmstate.c b/vmstate.c
index f019228188..dbb76665d9 100644
--- a/vmstate.c
+++ b/vmstate.c
@@ -337,8 +337,9 @@ const VMStateInfo vmstate_info_int32_equal = {
.put = put_int32,
};
-/* 32 bit int. Check that the received value is less than or equal to
- the one in the field */
+/* 32 bit int. Check that the received value is non-negative
+ * and less than or equal to the one in the field.
+ */
static int get_int32_le(QEMUFile *f, void *pv, size_t size)
{
@@ -346,7 +347,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size)
int32_t loaded;
qemu_get_sbe32s(f, &loaded);
- if (loaded <= *cur) {
+ if (loaded >= 0 && loaded <= *cur) {
*cur = loaded;
return 0;
}