On 3 December 2013 16:28, Michael S. Tsirkin <m...@redhat.com> wrote:
> From: Michael Roth <mdr...@linux.vnet.ibm.com>
>
> CVE-2013-4532
>
> s->tx_frame_len is read from the wire and can later used as an index
> into s->tx_fifo[] for memset() when a DATA command is issued by the guest.
>
> In this case s->tx_frame_len is checked to avoid an overrun, but if the
> value is negative a subsequently executed guest can underrun the buffer
> with zeros via the memset() call.
>
> Fix this by failing migration if the incoming value is of s->tx_frame_len
> is less than -1 (the emulation code allows from -1 as a special case)
>
> Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
> ---
> hw/net/stellaris_enet.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
> index 65f0ba8..6eca31e 100644
> --- a/hw/net/stellaris_enet.c
> +++ b/hw/net/stellaris_enet.c
> @@ -375,6 +375,9 @@ static int stellaris_enet_load(QEMUFile *f, void *opaque,
> int version_id)
> s->mrxd = qemu_get_be32(f);
> s->np = qemu_get_be32(f);
> s->tx_frame_len = qemu_get_be32(f);
> + if (s->tx_frame_len < -1) {
> + return -EINVAL;
> + }
Don't we need to also check that tx_frame_len <= 2032?
Otherwise the migration stream could set it to some large
positive number and use this to bypass the check on whether
writing to tx_fifo[tx_fifo_len] has hit the end of the fifo buffer,
I think.
> s->tx_fifo_len = qemu_get_be32(f);
> if (s->tx_fifo_len < 0 || s->tx_fifo_len > SE_FIFO_LEN) {
> return -EINVAL;
> --
> MST
>
thanks
-- PMM
