| commit | 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a | |
| author | Michael S. Tsirkin <mst@redhat.com> | |
| Thu, 3 Apr 2014 16:52:25 +0000 (3 19:52 +0300) | ||
| committer | Juan Quintela <quintela@redhat.com> | |
| Mon, 5 May 2014 20:15:03 +0000 (5 22:15 +0200) | ||
| tree | 4d13c798595979f4650e00acfb74a03fc54047da | treesnapshot (tar.gz zip) |
| parent | 3476436a44c29725efef0cabf5b3ea4e70054d57 | commitdiff |
usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
| hw/usb/bus.c | diffblobblamehistory |