References: bsc#964644 CVE-2013-4533

Subject: pxa2xx: avoid buffer overrun on incoming migration
From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:57 2014 +0300
Date: Mon May 5 22:15:02 2014 +0200:
Git: caa881abe0e01f9931125a0977ec33c5343e4aa7

CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
@@ -847,7 +847,7 @@ static void pxa2xx_ssp_save(QEMUFile *f,
 static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
 {
     struct pxa2xx_ssp_s *s = (struct pxa2xx_ssp_s *) opaque;
-    int i;
+    int i, v;
 
     s->enable = qemu_get_be32(f);
 
@@ -861,7 +861,11 @@ static int pxa2xx_ssp_load(QEMUFile *f,
     qemu_get_8s(f, &s->ssrsa);
     qemu_get_8s(f, &s->ssacd);
 
-    s->rx_level = qemu_get_byte(f);
+    v = qemu_get_byte(f);
+    if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
+        return -EINVAL;
+    }
+    s->rx_level = v;
     s->rx_start = 0;
     for (i = 0; i < s->rx_level; i ++)
         s->rx_fifo[i] = qemu_get_byte(f);