9b39a3d650
ne2000_receive() function CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch - bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch - bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on incoming migration CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch - bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table size to avoid integer overflows CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch - Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch - bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer dereference in ehci_caps_write CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=397
50 lines
1.8 KiB
Diff
50 lines
1.8 KiB
Diff
References: bsc#964644 CVE-2013-4533
|
|
|
|
Subject: pxa2xx: avoid buffer overrun on incoming migration
|
|
From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:57 2014 +0300
|
|
Date: Mon May 5 22:15:02 2014 +0200:
|
|
Git: caa881abe0e01f9931125a0977ec33c5343e4aa7
|
|
|
|
CVE-2013-4533
|
|
|
|
s->rx_level is read from the wire and used to determine how many bytes
|
|
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
|
|
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
|
|
from the wire.
|
|
|
|
Fix this by validating rx_level against the size of s->rx_fifo.
|
|
|
|
Cc: Don Koch <dkoch@verizon.com>
|
|
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Reviewed-by: Don Koch <dkoch@verizon.com>
|
|
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
|
|
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
|
|
===================================================================
|
|
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
|
|
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
|
|
@@ -847,7 +847,7 @@ static void pxa2xx_ssp_save(QEMUFile *f,
|
|
static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
|
|
{
|
|
struct pxa2xx_ssp_s *s = (struct pxa2xx_ssp_s *) opaque;
|
|
- int i;
|
|
+ int i, v;
|
|
|
|
s->enable = qemu_get_be32(f);
|
|
|
|
@@ -861,7 +861,11 @@ static int pxa2xx_ssp_load(QEMUFile *f,
|
|
qemu_get_8s(f, &s->ssrsa);
|
|
qemu_get_8s(f, &s->ssacd);
|
|
|
|
- s->rx_level = qemu_get_byte(f);
|
|
+ v = qemu_get_byte(f);
|
|
+ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
|
|
+ return -EINVAL;
|
|
+ }
|
|
+ s->rx_level = v;
|
|
s->rx_start = 0;
|
|
for (i = 0; i < s->rx_level; i ++)
|
|
s->rx_fifo[i] = qemu_get_byte(f);
|