xenbits.xensource.com Git - qemu-upstream-4.2-testing.git/commit

author	Michael S. Tsirkin <mst@redhat.com>
	Wed, 4 Mar 2015 16:09:30 +0000 (16:09 +0000)
committer	Stefano Stabellini <stefano.stabellini@eu.citrix.com>
	Wed, 4 Mar 2015 16:09:30 +0000 (16:09 +0000)
commit	67a4e8e532ca5f8c4b197dbe3b93dec4c480b299
tree	e58c1c1b6327ea8b27669618579f8cdce9f70c10	tree
parent	f8d129043669acd151a93212bb819aa187d1167f	commit \| diff

virtio-net: out-of-bounds buffer write on load

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>