File 0069-ahci-fix-buffer-overrun-on-invalid-.patch of Package qemu-linux-user

Overview Repositories Revisions Requests Users Attributes Meta

File 0069-ahci-fix-buffer-overrun-on-invalid-.patch of Package qemu-linux-user

From b8ee1ebee9e006a1a74ef047be3ede1bec2494bc Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:18 +0300
Subject: [PATCH] ahci: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
[AF: BNC#864671]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/ide/ahci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index bfe633f..457a7a1 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
         VMSTATE_UINT32(control_regs.impl, AHCIState),
         VMSTATE_UINT32(control_regs.version, AHCIState),
         VMSTATE_UINT32(idp_index, AHCIState),
-        VMSTATE_INT32(ports, AHCIState),
+        VMSTATE_INT32_EQUAL(ports, AHCIState),
         VMSTATE_END_OF_LIST()
     },
 };

Places

File 0069-ahci-fix-buffer-overrun-on-invalid-.patch of Package qemu-linux-user

Places