Proxmox-Port/qemu
1
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2025-08-05 10:37:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4b53c2c72c
qemu/hw/virtio
History
Michael Roth 4b53c2c72c virtio: avoid buffer overrun on incoming migration 
CVE-2013-6399

vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.

Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
..
dataplane dataplane: fix shadowed return value 2014-01-22 13:48:18 +01:00
Makefile.objs virtio: Implement MMIO based virtio transport 2013-07-19 12:58:47 +01:00
vhost.c vhost: clear signalled_used_valid on vhost stop 2013-08-12 12:25:17 +03:00
virtio-balloon.c virtio-balloon: don't hardcode config size value 2014-01-15 23:34:17 +04:00
virtio-bus.c virtio-bus: cleanup plug/unplug interface 2013-12-09 21:46:48 +01:00
virtio-mmio.c virtio-bus: remove vdev field 2013-12-09 21:46:48 +01:00
virtio-pci.c qom: Add check() argument to object_property_add_link() 2014-03-19 22:23:13 +01:00
virtio-pci.h virtio-pci: remove vdev field 2013-12-09 21:46:48 +01:00
virtio-rng.c virtio-rng: Avoid default_backend refcount leak 2014-03-19 22:23:47 +01:00
virtio.c virtio: avoid buffer overrun on incoming migration 2014-05-05 22:15:02 +02:00