xen/CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch

References: bsc#964644 CVE-2013-4533

Subject: pxa2xx: avoid buffer overrun on incoming migration
From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:57 2014 +0300
Date: Mon May 5 22:15:02 2014 +0200:
Git: caa881abe0e01f9931125a0977ec33c5343e4aa7

CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
@@ -847,7 +847,7 @@ static void pxa2xx_ssp_save(QEMUFile *f,
 static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
 {
     struct pxa2xx_ssp_s *s = (struct pxa2xx_ssp_s *) opaque;
-    int i;
+    int i, v;
 
     s->enable = qemu_get_be32(f);
 
@@ -861,7 +861,11 @@ static int pxa2xx_ssp_load(QEMUFile *f,
     qemu_get_8s(f, &s->ssrsa);
     qemu_get_8s(f, &s->ssacd);
 
-    s->rx_level = qemu_get_byte(f);
+    v = qemu_get_byte(f);
+    if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
+        return -EINVAL;
+    }
+    s->rx_level = v;
     s->rx_start = 0;
     for (i = 0; i < s->rx_level; i ++)
         s->rx_fifo[i] = qemu_get_byte(f);
- bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in ne2000_receive() function CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch - bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch - bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on incoming migration CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch - bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table size to avoid integer overflows CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch - Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch - bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer dereference in ehci_caps_write CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=397 2016-02-03 22:39:15 +01:00			`References: bsc#964644 CVE-2013-4533`

			`Subject: pxa2xx: avoid buffer overrun on incoming migration`
			`From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:57 2014 +0300`
			`Date: Mon May 5 22:15:02 2014 +0200:`
			`Git: caa881abe0e01f9931125a0977ec33c5343e4aa7`

			`CVE-2013-4533`

			`s->rx_level is read from the wire and used to determine how many bytes`
			`to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the`
			`length of s->rx_fifo[] the buffer can be overrun with arbitrary data`
			`from the wire.`

			`Fix this by validating rx_level against the size of s->rx_fifo.`

			`Cc: Don Koch <dkoch@verizon.com>`
			`Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>`
			`Signed-off-by: Michael S. Tsirkin <mst@redhat.com>`
			`Reviewed-by: Peter Maydell <peter.maydell@linaro.org>`
			`Reviewed-by: Don Koch <dkoch@verizon.com>`
			`Signed-off-by: Juan Quintela <quintela@redhat.com>`

			`Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c`
			`===================================================================`
			`--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c`
			`+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c`
			`@@ -847,7 +847,7 @@ static void pxa2xx_ssp_save(QEMUFile *f,`
			`static int pxa2xx_ssp_load(QEMUFile f, void opaque, int version_id)`
			`{`
			`struct pxa2xx_ssp_s s = (struct pxa2xx_ssp_s ) opaque;`
			`- int i;`
			`+ int i, v;`

			`s->enable = qemu_get_be32(f);`

			`@@ -861,7 +861,11 @@ static int pxa2xx_ssp_load(QEMUFile *f,`
			`qemu_get_8s(f, &s->ssrsa);`
			`qemu_get_8s(f, &s->ssacd);`

			`- s->rx_level = qemu_get_byte(f);`
			`+ v = qemu_get_byte(f);`
			`+ if (v < 0 \|\| v > ARRAY_SIZE(s->rx_fifo)) {`
			`+ return -EINVAL;`
			`+ }`
			`+ s->rx_level = v;`
			`s->rx_start = 0;`
			`for (i = 0; i < s->rx_level; i ++)`
			`s->rx_fifo[i] = qemu_get_byte(f);`