hpet: fix buffer overrun on invalid state load

CVE-2013-4527 hw/timer/hpet.c buffer overrun hpet is a VARRAY with a uint8 size but static array of 32 To fix, make sure num_timers is valid using VMSTATE_VALID hook. Reported-by: N Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Reviewed-by: N Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: N Juan Quintela <quintela@redhat.com>

hpet: fix buffer overrun on invalid state load
CVE-2013-4527 hw/timer/hpet.c buffer overrun hpet is a VARRAY with a uint8 size but static array of 32 To fix, make sure num_timers is valid using VMSTATE_VALID hook. Reported-by: N Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Reviewed-by: N Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: N Juan Quintela <quintela@redhat.com>
3f1c49e2 · Michael S. Tsirkin · Juan Quintela · ae2158ad · 3f1c49e2
隐藏空白更改
内联并排

Showing with 13 addition and 0 deletion

hw/timer/hpet.c hw/timer/hpet.c +13 -0

未找到文件。
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -239,6 +239,18 @@ static int hpet_pre_load(void *opaque)
    return 0;
 }

+static bool hpet_validate_num_timers(void *opaque, int version_id)
+{
+    HPETState *s = opaque;
+
+    if (s->num_timers < HPET_MIN_TIMERS) {
+        return false;
+    } else if (s->num_timers > HPET_MAX_TIMERS) {
+        return false;
+    }
+    return true;
+}
+
 static int hpet_post_load(void *opaque, int version_id)
 {
    HPETState *s = opaque;
@@ -307,6 +319,7 @@ static const VMStateDescription vmstate_hpet = {
        VMSTATE_UINT64(isr, HPETState),
        VMSTATE_UINT64(hpet_counter, HPETState),
        VMSTATE_UINT8_V(num_timers, HPETState, 2),
+        VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
        VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
                                    vmstate_hpet_timer, HPETTimer),
        VMSTATE_END_OF_LIST()