From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 4 Mar 2015 17:14:28 +0000 (+0000)
Subject: virtio: validate config_len on load
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=8911317f89b335e3370e14a79eeec6c25511c491;p=qemu-upstream-4.2-testing.git

virtio: validate config_len on load

Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---

diff --git a/hw/virtio.c b/hw/virtio.c
index 7fddfe9c7..5dfd794da 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -786,6 +786,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
 int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 {
     int i, ret;
+    int32_t config_len;
     uint32_t num;
     uint32_t features;
     uint32_t supported_features;
@@ -810,7 +811,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
                      features, supported_features);
         return -1;
     }
-    vdev->config_len = qemu_get_be32(f);
+    config_len = qemu_get_be32(f);
+    if (config_len != vdev->config_len) {
+        error_report("Unexpected config length 0x%x. Expected 0x%zx",
+                     config_len, vdev->config_len);
+        return -1;
+    }
     qemu_get_buffer(f, vdev->config, vdev->config_len);
 
     num = qemu_get_be32(f);