| commit | 5f691ff91d323b6f97c6600405a7f9dc115a0ad1 | |
| author | Michael S. Tsirkin <mst@redhat.com> | |
| Thu, 3 Apr 2014 16:51:31 +0000 (3 19:51 +0300) | ||
| committer | Juan Quintela <quintela@redhat.com> | |
| Mon, 5 May 2014 20:15:02 +0000 (5 22:15 +0200) | ||
| tree | b74c3b71e045d1fda8480300959fcb6689400f92 | treesnapshot (tar.gz zip) |
| parent | 3f1c49e2136fa08ab1ef3183fd55def308829584 | commitdiff |
hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
| hw/pci/pcie_aer.c | diffblobblamehistory |