diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-04-03 19:52:25 +0300 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-06-26 14:22:06 -0500 |
| commit | c4bd2e4cb0550fd83321029b9ae7582073fcac67 (patch) | |
| tree | 688d8b26eea4d40ef37cf0aea40e474f744b2ae1 /hw | |
| parent | 0776525e77ac1c2e1b7a45ecde1597bb0f460877 (diff) | |
| download | qemu-c4bd2e4cb0550fd83321029b9ae7582073fcac67.zip qemu-c4bd2e4cb0550fd83321029b9ae7582073fcac67.tar.gz qemu-c4bd2e4cb0550fd83321029b9ae7582073fcac67.tar.bz2 | |
usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/usb/bus.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/hw/usb/bus.c b/hw/usb/bus.c index ca329be..53c85fe 100644 --- a/hw/usb/bus.c +++ b/hw/usb/bus.c @@ -47,7 +47,9 @@ static int usb_device_post_load(void *opaque, int version_id) } else { dev->attached = 1; } - if (dev->setup_index >= sizeof(dev->data_buf) || + if (dev->setup_index < 0 || + dev->setup_len < 0 || + dev->setup_index >= sizeof(dev->data_buf) || dev->setup_len >= sizeof(dev->data_buf)) { return -EINVAL; } |