]> xenbits.xensource.com Git - qemu-upstream-4.4-testing.git/commit
projects / qemu-upstream-4.4-testing.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ec86632) | patch
virtio-net: out-of-bounds buffer write on load
authorMichael S. Tsirkin <mst@redhat.com>
Mon, 28 Apr 2014 13:08:21 +0000 (16:08 +0300)
committerStefano Stabellini <stefano.stabellini@eu.citrix.com>
Wed, 4 Mar 2015 16:05:52 +0000 (16:05 +0000)
commit90d1a97c7560ca593471a0d6b7c6380844789a42
treef0c0b0423df0fb9579fcccc47a5f78800b244cd0tree
parentec8663297a0f68557df6e4efb2f0517f1952f75acommit | diff
virtio-net: out-of-bounds buffer write on load

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
hw/net/virtio-net.c diff | blob | history
Obsolete Upstream Qemu based repository for xen-4.4-testing