On Mon, May 12, 2014 at 03:16:07PM +0300, Michael S. Tsirkin wrote:
> Correct post load checks:
> 1. dev->setup_len == sizeof(dev->data_buf)
> seems fine, no need to fail migration
> 2. When state is DATA, passing index > len
> will cause memcpy with negative length,
> resulting in heap overflow
>
> First of the issues was reported by dgilbert.
>
> Reported-by: "Dr. David Alan Gilbert" <dgilb...@redhat.com>
> Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
This is CVE-2014-3461
> ---
> hw/usb/bus.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/hw/usb/bus.c b/hw/usb/bus.c
> index e48b19f..2721719 100644
> --- a/hw/usb/bus.c
> +++ b/hw/usb/bus.c
> @@ -51,8 +51,9 @@ static int usb_device_post_load(void *opaque, int
> version_id)
> }
> if (dev->setup_index < 0 ||
> dev->setup_len < 0 ||
> - dev->setup_index >= sizeof(dev->data_buf) ||
> - dev->setup_len >= sizeof(dev->data_buf)) {
> + (dev->setup_state == SETUP_STATE_DATA &&
> + dev->setup_index > dev->setup_len) ||
> + dev->setup_len > sizeof(dev->data_buf)) {
> return -EINVAL;
> }
> return 0;
> --
> MST
