Michael S. Tsirkin
36cf2a3713
virtio: validate num_sg when mapping ...
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
2014-04-25 09:19:59 -04:00
2014-03-18 16:08:43 +02:00
2014-02-11 22:57:12 +10:00
2014-05-01 15:25:52 +01:00
2014-04-29 10:46:29 +02:00
2014-04-22 12:00:20 +02:00
2013-09-10 11:14:41 +02:00
2014-04-07 14:51:32 +01:00
2014-04-25 09:19:59 -04:00
2013-12-24 18:02:18 +01:00
2014-02-03 14:04:00 +00:00
2014-04-28 11:03:32 +02:00
2014-03-19 22:23:13 +01:00
2014-02-14 16:22:32 +01:00
2014-04-18 10:33:36 +04:00
2014-04-27 13:04:18 +04:00
2014-05-05 22:15:02 +02:00
2014-03-09 21:09:38 +02:00
2014-05-02 11:32:00 +01:00
2014-02-14 21:11:53 +01:00
2014-02-20 13:05:48 +00:00
2014-02-04 19:47:39 +01:00
2013-11-05 17:47:29 +01:00
2014-02-26 14:54:45 +10:00
2014-02-14 16:22:31 +01:00
2014-04-25 09:19:59 -04:00
2014-03-05 03:06:46 +01:00
2014-05-05 14:15:10 +02:00
2014-03-20 02:40:07 +01:00
2013-11-20 21:46:45 +08:00
2014-05-05 22:15:02 +02:00
2014-02-10 10:27:00 +02:00
2014-04-08 18:37:45 +01:00
2014-03-19 22:23:13 +01:00
2014-04-08 11:20:05 +02:00
2014-03-19 22:23:13 +01:00
2014-04-02 13:24:23 +02:00
2014-03-12 20:13:02 +01:00
2014-03-13 19:52:47 +01:00
2014-02-27 10:01:41 +00:00
2013-09-03 12:31:07 -05:00
2014-05-05 22:15:02 +02:00
2014-05-05 22:15:02 +02:00
2013-08-22 19:10:27 +02:00
2014-03-05 09:52:04 +01:00
2014-04-23 10:28:14 +02:00
2014-05-05 22:15:02 +02:00
2014-01-06 15:02:30 -05:00
2014-02-20 17:28:08 +00:00
2014-02-24 04:47:01 +04:00
2014-03-04 09:20:49 +05:30
36cf2a3713