From: Michael S. Tsirkin <mst@redhat.com>
Date: Thu, 3 Apr 2014 16:52:25 +0000 (+0300)
Subject: usb: sanity check setup_index+setup_len in post_load
X-Git-Tag: qemu-xen-4.4.3-rc1~42
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=1a228d0b734f044dc5f39d933be0ed807fbc60cf;p=qemu-upstream-4.4-testing.git

usb: sanity check setup_index+setup_len in post_load

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---

diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index f83d1de6c..c6c200593 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -47,6 +47,12 @@ static int usb_device_post_load(void *opaque, int version_id)
     } else {
         dev->attached = 1;
     }
+    if (dev->setup_index < 0 ||
+        dev->setup_len < 0 ||
+        dev->setup_index >= sizeof(dev->data_buf) ||
+        dev->setup_len >= sizeof(dev->data_buf)) {
+        return -EINVAL;
+    }
     return 0;
 }