qemu-e2k/hw/gpio
Michael S. Tsirkin 52f91c3723 zaurus: fix buffer overrun on invalid state load
CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

Similarly for gpio_level and gpio_dir.

To fix, limit to 16 bit.

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
..
Makefile.objs
max7310.c max7310: QOM'ify 2014-02-14 16:22:32 +01:00
omap_gpio.c hw: cannot_instantiate_with_device_add_yet due to pointer props 2013-12-24 17:27:17 +01:00
pl061.c pl061: QOM'ify pl061 and pl061_luminary 2013-07-29 21:06:46 +02:00
puv3_gpio.c puv3_gpio: QOM cast cleanup 2013-07-29 21:06:57 +02:00
zaurus.c zaurus: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00