File CVE-2013-4534-qemut-openpic-buffer-overrun-on-i... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch of Package xen (Revision 6bbfc10fa0cd4906a4b565a5ad40b57f)

Currently displaying revision 6bbfc10fa0cd4906a4b565a5ad40b57f , Show latest

References: bsc#964452 CVE-2013-4534

Subject: openpic: avoid buffer overrun on incoming migration
From: Michael Roth mdroth@linux.vnet.ibm.com Mon Apr 28 16:08:17 2014 +0300
Date: Mon May 5 22:15:03 2014 +0200:
Git: 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e

CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
@@ -36,6 +36,7 @@
 #include "ppc_mac.h"
 #include "pci.h"
 #include "openpic.h"
+#include "qemu/qerror.h"
 
 //#define DEBUG_OPENPIC
 
@@ -1132,7 +1133,7 @@ static void openpic_load_IRQ_queue(QEMUF
 static int openpic_load(QEMUFile* f, void *opaque, int version_id)
 {
     openpic_t *opp = (openpic_t *)opaque;
-    unsigned int i;
+    unsigned int i, nb_cpus;
 
     if (version_id != 1)
         return -EINVAL;
@@ -1153,7 +1154,11 @@ static int openpic_load(QEMUFile* f, voi
         qemu_get_sbe32s(f, &opp->src[i].pending);
     }
 
-    qemu_get_sbe32s(f, &opp->nb_cpus);
+    qemu_get_be32s(f, &nb_cpus);
+    if (opp->nb_cpus != nb_cpus) {
+        return -EINVAL;
+    }
+    assert(nb_cpus > 0 && nb_cpus <= MAX_CPU);
 
     for (i = 0; i < opp->nb_cpus; i++) {
         qemu_get_be32s(f, &opp->dst[i].tfrr);

Places

File CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch of Package xen (Revision 6bbfc10fa0cd4906a4b565a5ad40b57f)

Places