Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
xen.10697
CVE-2013-4538-qemuu-ssd0323-fix-buffer-overun-o...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2013-4538-qemuu-ssd0323-fix-buffer-overun-on-invalid-state.patch of Package xen.10697
References: bsc#962335 CVE-2013-4538 s->cmd_len used as index in ssd0323_transfer() to store 32-bit field. Possible this field might then be supplied by guest to overwrite a return addr somewhere. Same for row/col fields, which are indicies into framebuffer array. To fix validate after load. Signed-off-by: Michael S. Tsirkin <address@hidden> --- hw/display/ssd0323.c | 3 +++ 1 file changed, 3 insertions(+) Index: xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/display/ssd0323.c =================================================================== --- xen-4.4.3-testing.orig/tools/qemu-xen-dir-remote/hw/display/ssd0323.c +++ xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/display/ssd0323.c @@ -312,6 +312,9 @@ static int ssd0323_load(QEMUFile *f, voi return -EINVAL; s->cmd_len = qemu_get_be32(f); + if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) { + return -EINVAL; + } s->cmd = qemu_get_be32(f); for (i = 0; i < 8; i++) s->cmd_data[i] = qemu_get_be32(f);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor