File CVE-2018-18438-qemuu-007-integer-overflow-in-cc... of Package xen.10697

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-18438-qemuu-007-integer-overflow-in-ccid_card_vscard_read-allows-memory-corruption.patch of Package xen.10697

References: bsc#1112188 CVE-2018-18438

The number of bytes can not be negative nor zero.

Fixed 2 format string:
- hw/char/spapr_vty.c
- hw/usb/ccid-card-passthru.c

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/qemu-char.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/qemu-char.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/qemu-char.c
@@ -426,7 +426,7 @@ static int mux_chr_can_read(void *opaque
     return 0;
 }
 
-static void mux_chr_read(void *opaque, const uint8_t *buf, int size)
+static void mux_chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     CharDriverState *chr = opaque;
     MuxDriver *d = chr->opaque;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/grlib_apbuart.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/grlib_apbuart.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/grlib_apbuart.c
@@ -136,7 +136,7 @@ static int grlib_apbuart_can_receive(voi
     return FIFO_LENGTH - uart->len;
 }
 
-static void grlib_apbuart_receive(void *opaque, const uint8_t *buf, int size)
+static void grlib_apbuart_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     UART *uart = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/imx_serial.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/imx_serial.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/imx_serial.c
@@ -366,7 +366,7 @@ static void imx_put_data(void *opaque, u
     imx_update(s);
 }
 
-static void imx_receive(void *opaque, const uint8_t *buf, int size)
+static void imx_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     imx_put_data(opaque, *buf);
 }
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/ipoctal232.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/ipoctal232.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/ipoctal232.c
@@ -470,7 +470,7 @@ static int hostdev_can_receive(void *opa
     return ch->rx_enabled ? available_bytes : 0;
 }
 
-static void hostdev_receive(void *opaque, const uint8_t *buf, int size)
+static void hostdev_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     SCC2698Channel *ch = opaque;
     IPOctalState *dev = ch->ipoctal;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/lm32_juart.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/lm32_juart.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/lm32_juart.c
@@ -87,7 +87,7 @@ void lm32_juart_set_jrx(DeviceState *d,
     s->jrx &= ~JRX_FULL;
 }
 
-static void juart_rx(void *opaque, const uint8_t *buf, int size)
+static void juart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     LM32JuartState *s = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/lm32_uart.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/lm32_uart.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/lm32_uart.c
@@ -210,7 +210,7 @@ static const MemoryRegionOps uart_ops =
     },
 };
 
-static void uart_rx(void *opaque, const uint8_t *buf, int size)
+static void uart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     LM32UartState *s = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/mcf_uart.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/mcf_uart.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/mcf_uart.c
@@ -265,7 +265,7 @@ static int mcf_uart_can_receive(void *op
     return s->rx_enabled && (s->sr & MCF_UART_FFULL) == 0;
 }
 
-static void mcf_uart_receive(void *opaque, const uint8_t *buf, int size)
+static void mcf_uart_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     mcf_uart_state *s = (mcf_uart_state *)opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/milkymist-uart.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/milkymist-uart.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/milkymist-uart.c
@@ -159,7 +159,7 @@ static const MemoryRegionOps uart_mmio_o
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static void uart_rx(void *opaque, const uint8_t *buf, int size)
+static void uart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     MilkymistUartState *s = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/pl011.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/pl011.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/pl011.c
@@ -223,7 +223,7 @@ static void pl011_put_fifo(void *opaque,
     }
 }
 
-static void pl011_receive(void *opaque, const uint8_t *buf, int size)
+static void pl011_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     pl011_put_fifo(opaque, *buf);
 }
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/sclpconsole.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/sclpconsole.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/sclpconsole.c
@@ -69,7 +69,7 @@ static void receive_from_chr_layer(SCLPC
 }
 
 /* Send data from a char device over to the guest */
-static void chr_read(void *opaque, const uint8_t *buf, int size)
+static void chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     SCLPConsole *scon = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/serial.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/serial.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/serial.c
@@ -102,7 +102,7 @@ do { fprintf(stderr, "serial: " fmt , ##
 do {} while (0)
 #endif
 
-static void serial_receive1(void *opaque, const uint8_t *buf, int size);
+static void serial_receive1(void *opaque, const uint8_t *buf, size_t size);
 
 static inline void recv_fifo_put(SerialState *s, uint8_t chr)
 {
@@ -543,7 +543,7 @@ static int serial_can_receive1(void *opa
     return serial_can_receive(s);
 }
 
-static void serial_receive1(void *opaque, const uint8_t *buf, int size)
+static void serial_receive1(void *opaque, const uint8_t *buf, size_t size)
 {
     SerialState *s = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/sh_serial.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/sh_serial.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/sh_serial.c
@@ -313,7 +313,7 @@ static int sh_serial_can_receive1(void *
     return sh_serial_can_receive(s);
 }
 
-static void sh_serial_receive1(void *opaque, const uint8_t *buf, int size)
+static void sh_serial_receive1(void *opaque, const uint8_t *buf, size_t size)
 {
     sh_serial_state *s = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/spapr_vty.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/spapr_vty.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/spapr_vty.c
@@ -23,7 +23,7 @@ static int vty_can_receive(void *opaque)
     return (dev->in - dev->out) < VTERM_BUFSIZE;
 }
 
-static void vty_receive(void *opaque, const uint8_t *buf, int size)
+static void vty_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     VIOsPAPRVTYDevice *dev = VIO_SPAPR_VTY_DEVICE(opaque);
     int i;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/virtio-console.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/virtio-console.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/virtio-console.c
@@ -92,7 +92,7 @@ static int chr_can_read(void *opaque)
 }
 
 /* Send data from a char device over to the guest */
-static void chr_read(void *opaque, const uint8_t *buf, int size)
+static void chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     VirtConsole *vcon = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/xen_console.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/xen_console.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/xen_console.c
@@ -127,7 +127,7 @@ static int xencons_can_receive(void *opa
     return ring_free_bytes(con);
 }
 
-static void xencons_receive(void *opaque, const uint8_t *buf, int len)
+static void xencons_receive(void *opaque, const uint8_t *buf, size_t len)
 {
     struct XenConsole *con = opaque;
     struct xencons_interface *intf = con->sring;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/xilinx_uartlite.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/char/xilinx_uartlite.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/char/xilinx_uartlite.c
@@ -166,7 +166,7 @@ static const MemoryRegionOps uart_ops =
     }
 };
 
-static void uart_rx(void *opaque, const uint8_t *buf, int size)
+static void uart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     XilinxUARTLite *s = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/ccid-card-passthru.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/usb/ccid-card-passthru.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/ccid-card-passthru.c
@@ -262,14 +262,14 @@ static void ccid_card_vscard_drop_connec
     card->vscard_in_pos = card->vscard_in_hdr = 0;
 }
 
-static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, int size)
+static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, size_t size)
 {
     PassthruState *card = opaque;
     VSCMsgHeader *hdr;
 
     if (card->vscard_in_pos + size > VSCARD_IN_SIZE) {
         error_report(
-            "no room for data: pos %d +  size %d > %d. dropping connection.",
+            "no room for data: pos %d +  size %zu > %d. dropping connection.",
             card->vscard_in_pos, size, VSCARD_IN_SIZE);
         ccid_card_vscard_drop_connection(card);
         return;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/dev-serial.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-serial.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/dev-serial.c
@@ -420,7 +420,7 @@ static int usb_serial_can_read(void *opa
     return RECV_BUF - s->recv_used;
 }
 
-static void usb_serial_read(void *opaque, const uint8_t *buf, int size)
+static void usb_serial_read(void *opaque, const uint8_t *buf, size_t size)
 {
     USBSerialState *s = opaque;
     int first_size, start;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/redirect.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/usb/redirect.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/redirect.c
@@ -1206,7 +1206,7 @@ static int usbredir_chardev_can_read(voi
     return 1024 * 1024;
 }
 
-static void usbredir_chardev_read(void *opaque, const uint8_t *buf, int size)
+static void usbredir_chardev_read(void *opaque, const uint8_t *buf, size_t size)
 {
     USBRedirDevice *dev = opaque;
 
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/include/qemu/main-loop.h
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/include/qemu/main-loop.h
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/include/qemu/main-loop.h
@@ -168,7 +168,7 @@ void qemu_del_wait_object(HANDLE handle,
 
 /* async I/O support */
 
-typedef void IOReadHandler(void *opaque, const uint8_t *buf, int size);
+typedef void IOReadHandler(void *opaque, const uint8_t *buf, size_t size);
 typedef int IOCanReadHandler(void *opaque);
 
 /**
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/monitor.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/monitor.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/monitor.c
@@ -4573,7 +4573,7 @@ out:
 /**
  * monitor_control_read(): Read and handle QMP input
  */
-static void monitor_control_read(void *opaque, const uint8_t *buf, int size)
+static void monitor_control_read(void *opaque, const uint8_t *buf, size_t size)
 {
     Monitor *old_mon = cur_mon;
 
@@ -4584,7 +4584,7 @@ static void monitor_control_read(void *o
     cur_mon = old_mon;
 }
 
-static void monitor_read(void *opaque, const uint8_t *buf, int size)
+static void monitor_read(void *opaque, const uint8_t *buf, size_t size)
 {
     Monitor *old_mon = cur_mon;
     int i;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/net/slirp.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/net/slirp.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/net/slirp.c
@@ -588,7 +588,7 @@ static int guestfwd_can_read(void *opaqu
     return slirp_socket_can_recv(fwd->slirp, fwd->server, fwd->port);
 }
 
-static void guestfwd_read(void *opaque, const uint8_t *buf, int size)
+static void guestfwd_read(void *opaque, const uint8_t *buf, size_t size)
 {
     struct GuestFwd *fwd = opaque;
     slirp_socket_recv(fwd->slirp, fwd->server, fwd->port, buf, size);
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/qtest.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/qtest.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/qtest.c
@@ -453,7 +453,7 @@ static void qtest_process_inbuf(CharDriv
     }
 }
 
-static void qtest_read(void *opaque, const uint8_t *buf, int size)
+static void qtest_read(void *opaque, const uint8_t *buf, size_t size)
 {
     CharDriverState *chr = opaque;

Places

File CVE-2018-18438-qemuu-007-integer-overflow-in-ccid_card_vscard_read-allows-memory-corruption.patch of Package xen.10697

Places