References: bsc#964452 CVE-2013-4534 Subject: openpic: avoid buffer overrun on incoming migration From: Michael Roth mdroth@linux.vnet.ibm.com Mon Apr 28 16:08:17 2014 +0300 Date: Mon May 5 22:15:03 2014 +0200: Git: 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e CVE-2013-4534 opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire. Fix this by failing migration if the value read from the wire exceeds MAX_CPU. Signed-off-by: Michael Roth Reviewed-by: Alexander Graf Signed-off-by: Michael S. Tsirkin Signed-off-by: Juan Quintela Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/openpic.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c @@ -36,6 +36,7 @@ #include "ppc_mac.h" #include "pci.h" #include "openpic.h" +#include "qemu/qerror.h" //#define DEBUG_OPENPIC @@ -1132,7 +1133,7 @@ static void openpic_load_IRQ_queue(QEMUF static int openpic_load(QEMUFile* f, void *opaque, int version_id) { openpic_t *opp = (openpic_t *)opaque; - unsigned int i; + unsigned int i, nb_cpus; if (version_id != 1) return -EINVAL; @@ -1153,7 +1154,11 @@ static int openpic_load(QEMUFile* f, voi qemu_get_sbe32s(f, &opp->src[i].pending); } - qemu_get_sbe32s(f, &opp->nb_cpus); + qemu_get_be32s(f, &nb_cpus); + if (opp->nb_cpus != nb_cpus) { + return -EINVAL; + } + assert(nb_cpus > 0 && nb_cpus <= MAX_CPU); for (i = 0; i < opp->nb_cpus; i++) { qemu_get_be32s(f, &opp->dst[i].tfrr);