pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
factory
xen/CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch
Charles Arnold b87fe0a367 - bsc#969351 - VUL-0: CVE-2016-2841: xen: net: ne2000: infinite 
loop in ne2000_receive
  CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch

- Use system qemu instead of building/installing yet another qemu
  FATE#320638
- Dropped files
  qemu-xen-dir-remote.tar.bz2
  CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
  CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
  CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
  CVE-2015-4037-qemuu-smb-config-dir-name.patch
  CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
  CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
  CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
  CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
  CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
  CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
  CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
  CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
  CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
  CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
  CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
  CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
  CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
  qemu-xen-enable-spice-support.patch
  qemu-xen-upstream-qdisk-cache-unsafe.patch
  tigervnc-long-press.patch
- bsc#964452 - VUL-0: CVE-2013-4534: xen: openpic: buffer overrun
  on incoming migration

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=408
2016-03-03 22:36:20 +00:00

57 lines
1.9 KiB
Diff
Raw Permalink Blame History

References: bsc#964452 CVE-2013-4534
Subject: openpic: avoid buffer overrun on incoming migration
From: Michael Roth mdroth@linux.vnet.ibm.com Mon Apr 28 16:08:17 2014 +0300
Date: Mon May 5 22:15:03 2014 +0200:
Git: 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
@@ -36,6 +36,7 @@
#include "ppc_mac.h"
#include "pci.h"
#include "openpic.h"
+#include "qemu/qerror.h"
//#define DEBUG_OPENPIC
@@ -1132,7 +1133,7 @@ static void openpic_load_IRQ_queue(QEMUF
static int openpic_load(QEMUFile* f, void *opaque, int version_id)
{
openpic_t *opp = (openpic_t *)opaque;
- unsigned int i;
+ unsigned int i, nb_cpus;
if (version_id != 1)
return -EINVAL;
@@ -1153,7 +1154,11 @@ static int openpic_load(QEMUFile* f, voi
qemu_get_sbe32s(f, &opp->src[i].pending);
}
- qemu_get_sbe32s(f, &opp->nb_cpus);
+ qemu_get_be32s(f, &nb_cpus);
+ if (opp->nb_cpus != nb_cpus) {
+ return -EINVAL;
+ }
+ assert(nb_cpus > 0 && nb_cpus <= MAX_CPU);
for (i = 0; i < opp->nb_cpus; i++) {
qemu_get_be32s(f, &opp->dst[i].tfrr);
Reference in New Issue View Git Blame Copy Permalink