usb: sanity check setup_index+setup_len in post_load

CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked to make sure they are not negative. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> (cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
author: Michael S. Tsirkin <mst@redhat.com> 2014-04-03 19:52:25 +0300
committer: Michael Roth <mdroth@linux.vnet.ibm.com> 2014-07-20 22:05:55 -0500
commit: 15c35dfd9299733e5391b65efd3e0356a01d01ad (patch)
tree: 40f24591189eb779e1b895149a1a030c97ff01ef /hw
parent: e7ff13929f58acd1d21a50930fa500d6160f7356 (diff)
download: qemu-15c35dfd9299733e5391b65efd3e0356a01d01ad.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index fe70429304..e48b19fc29 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
     } else {
         dev->attached = 1;
     }
-    if (dev->setup_index >= sizeof(dev->data_buf) ||
+    if (dev->setup_index < 0 ||
+        dev->setup_len < 0 ||
+        dev->setup_index >= sizeof(dev->data_buf) ||
         dev->setup_len >= sizeof(dev->data_buf)) {
         return -EINVAL;
     }
author	Michael S. Tsirkin <mst@redhat.com>	2014-04-03 19:52:25 +0300
committer	Michael Roth <mdroth@linux.vnet.ibm.com>	2014-07-20 22:05:55 -0500
commit	15c35dfd9299733e5391b65efd3e0356a01d01ad (patch)
tree	40f24591189eb779e1b895149a1a030c97ff01ef /hw
parent	e7ff13929f58acd1d21a50930fa500d6160f7356 (diff)
download	qemu-15c35dfd9299733e5391b65efd3e0356a01d01ad.tar.gz