File CVE-2013-4529-03-qemuu-pci-fix-buffer-overrun-o... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2013-4529-03-qemuu-pci-fix-buffer-overrun-on-invalid-state-load.patch of Package xen (Revision 078ee701765e3bda05366c837b94d8b7)

Currently displaying revision 078ee701765e3bda05366c837b94d8b7 , Show latest

References: bsc#964929 CVE-2013-4529

Subject: hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:31 2014 +0300
Date: Mon May 5 22:15:02 2014 +0200:
Git: 5f691ff91d323b6f97c6600405a7f9dc115a0ad1

4) CVE-2013-4529
hw/pci/pcie_aer.c    pcie aer log can overrun the buffer if log_num is
                     too large

There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.

Fix both issues.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/pci/pcie_aer.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/pci/pcie_aer.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/pci/pcie_aer.c
@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_
     }
 };
 
+static bool pcie_aer_state_log_num_valid(void *opaque, int version_id)
+{
+    PCIEAERLog *s = opaque;
+
+    return s->log_num <= s->log_max;
+}
+
 const VMStateDescription vmstate_pcie_aer_log = {
     .name = "PCIE_AER_ERROR_LOG",
     .version_id = 1,
@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_ae
     .minimum_version_id_old = 1,
     .fields     = (VMStateField[]) {
         VMSTATE_UINT16(log_num, PCIEAERLog),
-        VMSTATE_UINT16(log_max, PCIEAERLog),
+        VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog),
+        VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid),
         VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num,
                               vmstate_pcie_aer_err, PCIEAERErr),
         VMSTATE_END_OF_LIST()

Places

File CVE-2013-4529-03-qemuu-pci-fix-buffer-overrun-on-invalid-state-load.patch of Package xen (Revision 078ee701765e3bda05366c837b94d8b7)

Places