ahci: fix buffer overrun on invalid state load

CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index fbea9e88865356448195649aae567b659ea45c6f..e3212741df8770e0273bbe63109b2ffc0fb3a0ea 100644 (file)
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1290,7 +1290,7 @@ const VMStateDescription vmstate_ahci = {
         VMSTATE_UINT32(control_regs.impl, AHCIState),
         VMSTATE_UINT32(control_regs.version, AHCIState),
         VMSTATE_UINT32(idp_index, AHCIState),
-        VMSTATE_INT32(ports, AHCIState),
+        VMSTATE_INT32_EQUAL(ports, AHCIState),
         VMSTATE_END_OF_LIST()
     },
 };