e2a042f066
Fix CVE-2013-4148 (bnc#864812), CVE-2013-4149 (bnc#864649), CVE-2013-4150 (bnc#864650), CVE-2013-4151 (bnc#864653), CVE-2013-4526 (bnc#864671), CVE-2013-4527 (bnc#864673), CVE-2013-4529 (bnc#864678), CVE-2013-4530 (bnc#864682), CVE-2013-4531 (bnc#864796), CVE-2013-4533 (bnc#864655), CVE-2013-4534 (bnc#864811), CVE-2013-4535 / CVE-2013-4536 (bnc#864665), CVE-2013-4537 (bnc#864391), CVE-2013-4538 (bnc#864769), CVE-2013-4539 (bnc#864805), CVE-2013-4540 (bnc#864801), CVE-2013-4541 (bnc#864802), CVE-2013-4542 (bnc#864804), CVE-2013-6399 (bnc#864814), CVE-2014-0182 (bnc#874788) OBS-URL: https://build.opensuse.org/request/show/235280 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=211
44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
From b94f504fbb4910705803236ec84805ac4ac9139e Mon Sep 17 00:00:00 2001
|
|
From: "Michael S. Tsirkin" <mst@redhat.com>
|
|
Date: Thu, 3 Apr 2014 19:52:25 +0300
|
|
Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2013-4541
|
|
|
|
s->setup_len and s->setup_index are fed into usb_packet_copy as
|
|
size/offset into s->data_buf, it's possible for invalid state to exploit
|
|
this to load arbitrary data.
|
|
|
|
setup_len and setup_index should be checked to make sure
|
|
they are not negative.
|
|
|
|
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
|
|
[AF: BNC#864802]
|
|
Signed-off-by: Andreas Färber <afaerber@suse.de>
|
|
---
|
|
hw/usb/bus.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
|
|
index fe70429..e48b19f 100644
|
|
--- a/hw/usb/bus.c
|
|
+++ b/hw/usb/bus.c
|
|
@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
|
|
} else {
|
|
dev->attached = 1;
|
|
}
|
|
- if (dev->setup_index >= sizeof(dev->data_buf) ||
|
|
+ if (dev->setup_index < 0 ||
|
|
+ dev->setup_len < 0 ||
|
|
+ dev->setup_index >= sizeof(dev->data_buf) ||
|
|
dev->setup_len >= sizeof(dev->data_buf)) {
|
|
return -EINVAL;
|
|
}
|