diff options
author | Michael S. Tsirkin <mst@redhat.com> | 2014-04-28 16:08:23 +0300 |
---|---|---|
committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-08-06 14:55:48 -0500 |
commit | 3bb84a6c988e59892b0ca2a143805f92eb4b04ba (patch) | |
tree | 824aa377397974b25ee496fb42f9a23ce4c1f952 | |
parent | 48935f029f5ae7f6bd6f01b2c942a7f2f1a7bc9a (diff) | |
download | qemu-3bb84a6c988e59892b0ca2a143805f92eb4b04ba.tar.gz |
virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-rw-r--r-- | hw/virtio/virtio.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index d5837c5993..3557c178f1 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) int virtio_load(VirtIODevice *vdev, QEMUFile *f) { int i, ret; + int32_t config_len; uint32_t num; uint32_t features; uint32_t supported_features; @@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) features, supported_features); return -1; } - vdev->config_len = qemu_get_be32(f); + config_len = qemu_get_be32(f); + if (config_len != vdev->config_len) { + error_report("Unexpected config length 0x%x. Expected 0x%zx", + config_len, vdev->config_len); + return -1; + } qemu_get_buffer(f, vdev->config, vdev->config_len); num = qemu_get_be32(f); |