qemu-e2k/include/hw
Michael S. Tsirkin 71f7fe48e1 virtio-net: fix buffer overflow on invalid state load
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c

Deals with loading a corrupted savevm image.

>         n->mac_table.in_use = qemu_get_be32(f);

in_use is int so it can get negative when assigned 32bit unsigned value.

>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {

passing this check ^^^

>             qemu_get_buffer(f, n->mac_table.macs,
>                             n->mac_table.in_use * ETH_ALEN);

with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.

Fix it by making the value unsigned.
For consistency, change first_multi as well.

Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 14:15:10 +02:00
..
acpi acpi: Add ACPI_CPU_HOTPLUG_ID_LIMIT macro 2014-03-18 16:08:42 +02:00
arm i2c: Rename i2c_bus to I2CBus 2014-02-14 16:22:31 +01:00
audio
block qdev: Add enum property types to QAPI schema 2014-02-14 21:12:05 +01:00
char hw/arm/digic: add UART support 2013-12-17 20:12:51 +00:00
cpu icc_bus: QOM'ify ICC 2013-12-24 18:02:18 +01:00
cris cris: Remove the CRIS PIC glue 2014-02-03 14:04:00 +00:00
i2c i2c: Drop FROM_I2C_SLAVE() macro 2014-02-14 16:22:32 +01:00
i386 q35: Correct typo BRDIGE -> BRIDGE 2014-03-11 13:27:27 +02:00
input
intc arm: vgic device control api support 2014-02-26 17:20:00 +00:00
ipack ipack: Move IndustryPack out of hw/char/ 2014-02-14 21:11:53 +01:00
isa i2c: Rename i2c_bus to I2CBus 2014-02-14 16:22:31 +01:00
kvm
lm32 lm32_juart: Relocate and tidy header 2013-07-29 21:06:27 +02:00
m68k
mips
misc arm11mpcore: Split off SCU device 2013-11-05 17:47:30 +01:00
net allwinner-emac: set autonegotiation complete bit on link up 2014-04-17 21:34:06 +01:00
nvram sun4m: Set HostID in NVRAM 2014-02-27 10:01:40 +00:00
pci hw/pci: switch to a generic hotplug handling for PCIDevice 2014-02-10 10:27:00 +02:00
pci-host q35: Correct typo BRDIGE -> BRIDGE 2014-03-11 13:27:27 +02:00
ppc PPC: Clean up DECR implementation 2014-04-08 11:20:04 +02:00
s390x s390x/event-facility: code restructure 2014-02-27 09:51:25 +01:00
scsi scsi: Fix migration of scsi sense data 2014-03-14 10:06:55 +01:00
sh4
sparc
timer allwinner-a10-pit: implement prescaler and source selection 2014-04-17 21:34:06 +01:00
unicore32
virtio virtio-net: fix buffer overflow on invalid state load 2014-05-05 14:15:10 +02:00
xen Revert "KVM: Split QEMUMachine typedef into separate header" 2014-03-13 03:49:48 +01:00
boards.h vl.c: Fix OpenBSD compilation issue due to namespace collisions 2014-03-19 21:00:34 +01:00
bt.h Preparation for usb-bt-dongle conditional build 2013-09-10 11:14:41 +02:00
devices.h
elf_ops.h elf-loader: add more return codes 2014-03-05 03:06:46 +01:00
empty_slot.h
fw-path-provider.h fw-path-provider: Change GPL version to 2+ 2014-04-07 15:36:07 +02:00
hotplug.h define hotplug interface 2014-02-10 10:23:35 +02:00
hw.h
ide.h Call pci_piix3_xen_ide_unplug from unplug_disks 2014-02-20 17:28:08 +00:00
irq.h hw/core: Add interface to allocate and free a single IRQ 2013-10-14 17:11:44 +03:00
loader.h pc: avoid duplicate names for ROM MRs 2014-03-11 13:25:48 +02:00
pcmcia.h pcmcia: QOM'ify PCMCIACardState and MicroDriveState 2013-11-05 18:06:52 +01:00
ptimer.h vmstate: Make VMSTATE_STRUCT_POINTER take type, not ptr-to-type 2014-02-04 15:51:45 +01:00
qdev-core.h qdev: Prepare realize/unrealize hooks for BusState 2014-03-13 01:21:57 +01:00
qdev-dma.h qdev: Remove hex8/32/64 property types 2014-02-14 21:12:04 +01:00
qdev-properties.h qom: Add check() argument to object_property_add_link() 2014-03-19 22:23:13 +01:00
qdev.h
sd.h
ssi.h ssi: Remove SSI_SLAVE_FROM_QDEV() macro 2014-03-12 20:13:02 +01:00
stream.h
sysbus.h memory: Change MemoryRegion priorities from unsigned to signed 2013-10-14 17:11:44 +03:00
usb.h usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00