Michael S. Tsirkin
cc45995294
virtio: out-of-bounds buffer write on invalid state load ...
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
2014-04-25 09:19:59 -04:00
2014-03-18 16:08:43 +02:00
2014-02-11 22:57:12 +10:00
2014-05-01 15:25:52 +01:00
2014-04-29 10:46:29 +02:00
2014-04-22 12:00:20 +02:00
2013-09-10 11:14:41 +02:00
2014-04-07 14:51:32 +01:00
2014-04-25 09:19:59 -04:00
2013-12-24 18:02:18 +01:00
2014-02-03 14:04:00 +00:00
2014-04-28 11:03:32 +02:00
2014-03-19 22:23:13 +01:00
2014-02-14 16:22:32 +01:00
2014-04-18 10:33:36 +04:00
2014-04-27 13:04:18 +04:00
2014-04-18 10:33:36 +04:00
2014-03-09 21:09:38 +02:00
2014-05-02 11:32:00 +01:00
2014-02-14 21:11:53 +01:00
2014-02-20 13:05:48 +00:00
2014-02-04 19:47:39 +01:00
2013-11-05 17:47:29 +01:00
2014-02-26 14:54:45 +10:00
2014-02-14 16:22:31 +01:00
2014-04-25 09:19:59 -04:00
2014-03-05 03:06:46 +01:00
2014-05-05 14:15:10 +02:00
2014-03-20 02:40:07 +01:00
2013-11-20 21:46:45 +08:00
2014-03-31 19:53:34 +01:00
2014-02-10 10:27:00 +02:00
2014-04-08 18:37:45 +01:00
2014-03-19 22:23:13 +01:00
2014-04-08 11:20:05 +02:00
2014-03-19 22:23:13 +01:00
2014-04-02 13:24:23 +02:00
2014-03-12 20:13:02 +01:00
2014-03-13 19:52:47 +01:00
2014-02-27 10:01:41 +00:00
2013-09-03 12:31:07 -05:00
2014-03-12 20:13:02 +01:00
2014-04-17 21:34:06 +01:00
2013-08-22 19:10:27 +02:00
2014-03-05 09:52:04 +01:00
2014-04-23 10:28:14 +02:00
2014-05-05 22:15:02 +02:00
2014-01-06 15:02:30 -05:00
2014-02-20 17:28:08 +00:00
2014-02-24 04:47:01 +04:00
2014-03-04 09:20:49 +05:30
cc45995294