ssi-sd: fix buffer overrun on invalid state load

CVE-2013-4537 s->arglen is taken from wire and used as idx in ssi_sd_transfer(). Validate it before access. Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Juan Quintela <quintela@redhat.com>

ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537 s->arglen is taken from wire and used as idx in ssi_sd_transfer(). Validate it before access. Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Juan Quintela <quintela@redhat.com>
a9c380db · Michael S. Tsirkin · Juan Quintela · 767adce2 · a9c380db
隐藏空白更改
内联并排

Showing with 9 addition and 0 deletion

hw/sd/ssi-sd.c hw/sd/ssi-sd.c +9 -0

未找到文件。
--- a/hw/sd/ssi-sd.c
+++ b/hw/sd/ssi-sd.c
@@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id)
    for (i = 0; i < 5; i++)
        s->response[i] = qemu_get_be32(f);
    s->arglen = qemu_get_be32(f);
+    if (s->mode == SSI_SD_CMDARG &&
+        (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) {
+        return -EINVAL;
+    }
    s->response_pos = qemu_get_be32(f);
    s->stopping = qemu_get_be32(f);
+    if (s->mode == SSI_SD_RESPONSE &&
+        (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) ||
+        (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) {
+        return -EINVAL;
+    }

    ss->cs = qemu_get_be32(f);