* Michael S. Tsirkin (m...@redhat.com) wrote:
> 4) CVE-2013-4529
> hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
> too large
>
> There are two issues in this file:
> 1. log_max from remote can be larger than on local
> then buffer will overrun with data coming from state file.
> 2. log_num can be larger then we get data corruption
> again with an overflow but not adversary controlled.
>
> Fix both issues.
>
> Reported-by: Anthony Liguori <anth...@codemonkey.ws>
> Reported-by: Michael S. Tsirkin <m...@redhat.com>
> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilb...@redhat.com>
> ---
> hw/pci/pcie_aer.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c
> index 991502e..535be2c 100644
> --- a/hw/pci/pcie_aer.c
> +++ b/hw/pci/pcie_aer.c
> @@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = {
> }
> };
>
> +static bool pcie_aer_state_log_num_valid(void *opaque, int version_id)
> +{
> + PCIEAERLog *s = opaque;
> +
> + return s->log_num <= s->log_max;
> +}
> +
> const VMStateDescription vmstate_pcie_aer_log = {
> .name = "PCIE_AER_ERROR_LOG",
> .version_id = 1,
> @@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = {
> .minimum_version_id_old = 1,
> .fields = (VMStateField[]) {
> VMSTATE_UINT16(log_num, PCIEAERLog),
> - VMSTATE_UINT16(log_max, PCIEAERLog),
> + VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog),
> + VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid),
> VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num,
> vmstate_pcie_aer_err, PCIEAERErr),
> VMSTATE_END_OF_LIST()
> --
> MST
>
>
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
