diff options
author | Michael S. Tsirkin <mst@redhat.com> | 2014-04-28 16:08:23 +0300 |
---|---|---|
committer | Juan Quintela <quintela@redhat.com> | 2014-05-05 22:15:03 +0200 |
commit | a890a2f9137ac3cf5b607649e66a6f3a5512d8dc (patch) | |
tree | f2556f0707b771bb328990b803c2a660dec88faa | |
parent | 98f93ddd84800f207889491e0b5d851386b459cf (diff) | |
download | hqemu-a890a2f9137ac3cf5b607649e66a6f3a5512d8dc.zip hqemu-a890a2f9137ac3cf5b607649e66a6f3a5512d8dc.tar.gz |
virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
-rw-r--r-- | hw/virtio/virtio.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index a70169a..7f4e7ec 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) int virtio_load(VirtIODevice *vdev, QEMUFile *f) { int i, ret; + int32_t config_len; uint32_t num; uint32_t features; uint32_t supported_features; @@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) features, supported_features); return -1; } - vdev->config_len = qemu_get_be32(f); + config_len = qemu_get_be32(f); + if (config_len != vdev->config_len) { + error_report("Unexpected config length 0x%x. Expected 0x%zx", + config_len, vdev->config_len); + return -1; + } qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f); |