git.ipfire.org Git - thirdparty/qemu.git/commit

author	Michael S. Tsirkin <mst@redhat.com>
	Thu, 3 Apr 2014 16:51:31 +0000 (19:51 +0300)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 26 Jun 2014 19:01:51 +0000 (14:01 -0500)
commit	e83444f71eb48d18c7bcf3616846a6c2f9575f5c
tree	0ffa7f58056c1a16e4cc2e94336bfd1fd79011dd	tree
parent	d8aba740f274514bdda2a240f8b881f8d928f5cd	commit \| diff

hw/pci/pcie_aer.c: fix buffer overruns on invalid state load

4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large

There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.

Fix both issues.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>