On Tue, Mar 22, 2011 at 10:25:06PM +0530, Amit Shah wrote:
> On (Tue) 22 Mar 2011 [18:32:50], Michael S. Tsirkin wrote:
> > Fix crash on invalid input in virtio-serial.
> > Discovered by code review, untested.
> >
> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
> > ---
> > hw/virtio-serial-bus.c | 3 +++
> > 1 files changed, 3 insertions(+), 0 deletions(-)
> >
> > diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
> > index e0bf6c5..8807a2f 100644
> > --- a/hw/virtio-serial-bus.c
> > +++ b/hw/virtio-serial-bus.c
> > @@ -654,6 +654,9 @@ static int virtio_serial_load(QEMUFile *f, void
> > *opaque, int version_id)
> >
> > id = qemu_get_be32(f);
> > port = find_port_by_id(s, id);
> > + if (!port) {
> > + return -EINVAL;
> > + }
>
> Just before this, we matched the ports_map which would bail out if the
> corresponding port isn't avl. in the destination, so this check is
> made redundant.
>
> Amit
You are trusting the remote here, this is a security problem.
A malicious remote will always be able to create arbitrary guest state,
but it should not be able to corrupt the host.
--
MST
