On Mon, Mar 31, 2014 at 04:40:41PM +0100, Peter Maydell wrote: > On 31 March 2014 15:16, Michael S. Tsirkin <m...@redhat.com> wrote: > > CVE-2013-4531 > > > > cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for > > cpreg_vmstate_array_len will cause a buffer overflow. > > > > VMSTATE_INT32_LE was supposed to protect against this > > but doesn't because it doesn't validate that input is > > non-negative. > > > > Fix this macro to valide the value appropriately. > > > > The only other user of VMSTATE_INT32_LE doesn't > > ever use negative numbers so it doesn't care. > > This fixes the bug, but it's rather unintuitive semantics > for an INT32_LE not to simply do a signed comparison... > Maybe rename the macro? > > thanks > -- PMM
Sure. I'll do it in a separate patch though.
