- 21 7月, 2014 40 次提交
-
-
由 Michael S. Tsirkin 提交于
It's a loop from i < num_sg and the array is VIRTQUEUE_MAX_SIZE - so it's OK if the value read is VIRTQUEUE_MAX_SIZE. Not a big problem in practice as people don't use such big queues, but it's inelegant. Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 93725140) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
KVM only supports MSIX table size up to 256 vectors, but some assigned devices support more vectors, at the moment attempts to assign them fail with EINVAL. Tweak the MSIX capability exposed to guest to limit table size to a supported value. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Tested-by: NGonglei <arei.gonglei@huawei.com> Cc: qemu-stable@nongnu.org Acked-by: NAlex Williamson <alex.williamson@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 639973a4) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Lieven 提交于
This reverts commit 25a70175. Turns out the argument *can* be null: QEMU now segfaults if it receives an invalid parameter via a qmp command instead of throwing an error. For example: { "execute": "blockdev-add", "arguments": { "options" : { "driver": "invalid-driver" } } } CC: qemu-stable@nongnu.org Signed-off-by: NPeter Lieven <pl@kamp.de> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com> (cherry picked from commit b690d679) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael Tokarev 提交于
Commit e26110cf added a check for shacmd to create a hash for modules. This check in configure is using bash construct &> to redirect both stdout and stderr, which does fun things on some shells. Get rid of it, use standard redirection instead. Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru> Reviewed-by: NFam Zheng <famz@redhat.com> (cherry picked from commit 4fc00556) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Alexey Kardashevskiy 提交于
Current guest kernels try allocating as many vectors as the quota is. For example, in the case of virtio-net (which has just 3 vectors) the guest requests 4 vectors (that is the quota in the test) and the existing ibm,change-msi handler returns 4. But before it returns, it calls msix_set_message() in a loop and corrupts memory behind the end of msix_table. This limits the number of vectors returned by ibm,change-msi to the maximum supported by the actual device. Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru> Cc: qemu-stable@nongnu.org [agraf: squash in bugfix from aik] Signed-off-by: NAlexander Graf <agraf@suse.de> (cherry picked from commit b26696b5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Maydell 提交于
The ARM target-specific code in elfload.c was incorrectly allowing the 64-bit ARM target to use most of the existing 32-bit definitions: most noticably this meant that our HWCAP bits passed to the guest were wrong, and register handling when dumping core was totally broken. Fix this by properly separating the 64 and 32 bit code, since they have more differences than similarities. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Cc: qemu-stable@nongnu.org Signed-off-by: NRiku Voipio <riku.voipio@linaro.org> (cherry picked from commit 24e76ff0) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Maydell 提交于
The kernel has added support for a number of new ARM HWCAP bits; add them to QEMU, including support for setting them where we have a corresponding CPU feature bit. We were also incorrectly setting the VFPv3D16 HWCAP -- this means "only 16 D registers", not "supports 16-bit floating point format"; since QEMU always has 32 D registers for VFPv3, we can just remove the line that incorrectly set this bit. The kernel does not set the HWCAP_FPA even if it is providing FPA emulation via nwfpe, so don't set this bit in QEMU either. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Cc: qemu-stable@nongnu.org Signed-off-by: NRiku Voipio <riku.voipio@linaro.org> (cherry picked from commit 24682654) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Maydell 提交于
The ELF HWCAP bits for ARM features THUMBEE, NEON, VFPv3 and VFPv3D16 are all off by one compared to the kernel definitions. Fix this discrepancy and add in the missing CRUNCH bit which was the cause of the off-by-one error. (We don't emulate any of the CPUs which have that weird hardware, so it's otherwise uninteresting to us.) Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NRiku Voipio <riku.voipio@linaro.org> (cherry picked from commit 43ce393e) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Edgar E. Iglesias 提交于
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: NAlex Bennée <alex.bennee@linaro.org> Message-id: 1398926097-28097-2-git-send-email-edgar.iglesias@gmail.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> (cherry picked from commit fed3ffb9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Edgar E. Iglesias 提交于
For linked branches, updates to the link register happen conceptually after the read of the branch target register. Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: NAlex Bennée <alex.bennee@linaro.org> Cc: qemu-stable@nongnu.org Message-id: 1398926097-28097-3-git-send-email-edgar.iglesias@gmail.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> (cherry picked from commit 1b505f93) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Amos Kong 提交于
QEMU crashed when I try to list device parameters and the driver name is actually an available bus name. # qemu -device virtio-pci-bus,? # qemu -device virtio-bus,? # qemu -device virtio-serial-bus,? qdev-monitor.c:212:qdev_device_help: Object 0x7fd932f50620 is not an instance of type device Aborted (core dumped) We can also reproduce this bug by adding device from monitor, so it's worth to fix the crash. (qemu) device_add virtio-serial-bus qdev-monitor.c:491:qdev_device_add: Object 0x7f5e89530920 is not an instance of type device Aborted (core dumped) Cc: qemu-stable@nongnu.org Signed-off-by: NAmos Kong <akong@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NAndreas Färber <afaerber@suse.de> (cherry picked from commit ce0abca3) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Paolo Bonzini 提交于
BND0-3, BNDCFGU, BNDCFGS, BNDSTATUS were not zeroed on reset, but they should be (Intel Instruction Set Extensions Programming Reference 319433-015, pages 9-4 and 9-6). Same for YMM. XCR0 should be reset to 1. TSC and TSC_RESET were zeroed already by the memset, remove the explicit assignments. Cc: Andreas Faerber <afaerber@suse.de> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 05e7e819) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Christian Borntraeger 提交于
Some ONE_REGS on s390 are not protected by a capability. Older kernels might not provide those and return an error. Fortunately these registers are only critical for the migration path. There is no need to error out on reset and normal runtime. Furthermore, these kernels don't provide a proper dirty bitmap anyway, so let's use tracing for those errors. Also provide generic one reg helper to simplify the code. Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 860643bc) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
Incoming migration with stellaris_enet is unsafe. It's being reworked, but for now, simply block it since noone is using it anyway. Block outgoing migration for good measure. CVE-2013-4532 Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
acpi build tried to add offset of hpet table to rsdt even when hpet was disabled. If no tables follow hpet, this could lead to a malformed rsdt. Fix it up. To avoid such errors in the future, rearrange code slightly to make it clear that acpi_add_table stores the offset of the following table - not of the previous one. Reported-by: NTeLeMan <geleman@gmail.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Cc: qemu-stable@nongnu.org (cherry picked from commit 9ac1c4c0) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael Tokarev 提交于
The rule for messages.po appears to be slightly wrong. Move the `cd' command within parens. Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru> Tested-by: NStefan Weil <sw@weilnetz.de> (cherry picked from commit b920cad6) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 David Hildenbrand 提交于
This patch creates empty function stubs (used by the gdbserver) in preparation for the hw debugging support by kvm on s390, which will enable the __KVM_HAVE_GUEST_DEBUG define in the linux headers and require these methods on the qemu side. Signed-off-by: NDavid Hildenbrand <dahi@linux.vnet.ibm.com> Signed-off-by: NJens Freimann <jfrei@linux.vnet.ibm.com> Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com> Cc: qemu-stable@nongnu.org Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 8c012449) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Benoît Canet 提交于
In 1.7.1 qcow2_create2 reopen the file for flushing without the BDRV_O_NO_BACKING flags. As a consequence the code would recursively open the whole backing chain. These three stack arrays would pile up through the recursion and lead to a coroutine stack overflow. Convert these array to malloced buffers in order to streamline the coroutine footprint. Symptoms where freezes or segfaults on production machines while taking QMP externals snapshots. The overflow disturbed coroutine switching. [Resolved conflicts on qemu.git/master since the patch was against v1.7.1 --Stefan] Signed-off-by: NBenoit Canet <benoit.canet@gmail.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 1ba4b6a5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Crosthwaite 提交于
The smlald (and probably smlsld) instruction was doing incorrect sign extensions of the operands amongst 64bit result calculation. The instruction psuedo-code is: operand2 = if m_swap then ROR(R[m],16) else R[m]; product1 = SInt(R[n]<15:0>) * SInt(operand2<15:0>); product2 = SInt(R[n]<31:16>) * SInt(operand2<31:16>); result = product1 + product2 + SInt(R[dHi]:R[dLo]); R[dHi] = result<63:32>; R[dLo] = result<31:0>; The result calculation should be done in 64 bit arithmetic, and hence product1 and product2 should be sign extended to 64b before calculation. The current implementation was adding product1 and product2 together then sign-extending the intermediate result leading to false negatives. E.G. if product1 = product2 = 0x4000000, their sum = 0x80000000, which will be incorrectly interpreted as -ve on sign extension. We fix by doing the 64b extensions on both product1 and product2 before any addition/subtraction happens. We also fix where we were possibly incorrectly setting the Q saturation flag for SMLSLD, which the ARM ARM specifically says is not set. Reported-by: NChristina Smith <christina.smith@xilinx.com> Signed-off-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Message-id: 2cddb6f5a15be4ab8d2160f3499d128ae93d304d.1397704570.git.peter.crosthwaite@xilinx.com Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> (cherry picked from commit 33bbd75a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Hannes Reinecke 提交于
Newer firmware implement a LD_LIST_QUERY command, and due to a driver issue no drives might be detected if this command isn't supported. So add emulation for this command, too. Cc: qemu-stable@nongnu.org Signed-off-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 34bb4d02) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Alex Bennée 提交于
The test for the U bit was incorrectly inverted in the scalar case of SQXTUN. This doesn't affect the vector case as the U bit is used to select XTN(2). Reported-by: NHao Liu <hao.liu@arm.com> Signed-off-by: NAlex Bennée <alex.bennee@linaro.org> Reviewed-by: NClaudio Fontana <claudio.fontana@huawei.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> (cherry picked from commit e44a90c5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4542 hw/scsi/scsi-bus.c invokes load_request. virtio_scsi_load_request does: qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); this probably can make elem invalid, for example, make in_num or out_num huge, then: virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); will do: if (req->elem.out_num > 1) { qemu_sgl_init_external(req, &req->elem.out_sg[1], &req->elem.out_addr[1], req->elem.out_num - 1); } else { qemu_sgl_init_external(req, &req->elem.in_sg[1], &req->elem.in_addr[1], req->elem.in_num - 1); } and this will access out of array bounds. Note: this adds security checks within assert calls since SCSIBusInfo's load_request cannot fail. For now simply disable builds with NDEBUG - there seems to be little value in supporting these. Cc: Andreas Färber <afaerber@suse.de> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 3c3ce981) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked to make sure they are not negative. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NGerd Hoffmann <kraxel@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 9f8e9895) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4540 Within scoop_gpio_handler_update, if prev_level has a high bit set, then we get bit > 16 and that causes a buffer overrun. Since prev_level comes from wire indirectly, this can happen on invalid state load. Similarly for gpio_level and gpio_dir. To fix, limit to 16 bit. Reported-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 52f91c37) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4539 s->precision, nextprecision, function and nextfunction come from wire and are used as idx into resolution[] in TSC_CUT_RESOLUTION. Validate after load to avoid buffer overrun. Cc: Andreas Färber <afaerber@suse.de> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 5193be3b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4538 s->cmd_len used as index in ssd0323_transfer() to store 32-bit field. Possible this field might then be supplied by guest to overwrite a return addr somewhere. Same for row/col fields, which are indicies into framebuffer array. To fix validate after load. Additionally, validate that the row/col_start/end are within bounds; otherwise the guest can provoke an overrun by either setting the _end field so large that the row++ increments just walk off the end of the array, or by setting the _start value to something bogus and then letting the "we hit end of row" logic reset row to row_start. For completeness, validate mode as well. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit ead7a57d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4537 s->arglen is taken from wire and used as idx in ssi_sd_transfer(). Validate it before access. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit a9c380db) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4533 s->rx_level is read from the wire and used to determine how many bytes to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the length of s->rx_fifo[] the buffer can be overrun with arbitrary data from the wire. Fix this by validating rx_level against the size of s->rx_fifo. Cc: Don Koch <dkoch@verizon.com> Reported-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NDon Koch <dkoch@verizon.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit caa881ab) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael Roth 提交于
CVE-2013-4534 opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire. Fix this by failing migration if the value read from the wire exceeds MAX_CPU. Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Reviewed-by: NAlexander Graf <agraf@suse.de> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 73d963c0) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4535 CVE-2013-4536 Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE. To fix, validate num_sg. Reported-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Cc: Amit Shah <amit.shah@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 36cf2a37) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael Roth 提交于
CVE-2013-6399 vdev->queue_sel is read from the wire, and later used in the emulation code as an index into vdev->vq[]. If the value of vdev->queue_sel exceeds the length of vdev->vq[], currently allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun the buffer with arbitrary data originating from the source. Fix this by failing migration if the value from the wire exceeds VIRTIO_PCI_QUEUE_MAX. Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 4b53c2c7) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4531 cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for cpreg_vmstate_array_len will cause a buffer overflow. VMSTATE_INT32_LE was supposed to protect against this but doesn't because it doesn't validate that input is non-negative. Fix this macro to valide the value appropriately. The only other user of VMSTATE_INT32_LE doesn't ever use negative numbers so it doesn't care. Reported-by: NAnthony Liguori <anthony@codemonkey.ws> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit d2ef4b61) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4530 pl022.c did not bounds check tx_fifo_head and rx_fifo_head after loading them from file and before they are used to dereference array. Reported-by: Michael S. Tsirkin <mst@redhat.com Reported-by: NAnthony Liguori <anthony@codemonkey.ws> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit d8d0a0bc) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
4) CVE-2013-4529 hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is too large There are two issues in this file: 1. log_max from remote can be larger than on local then buffer will overrun with data coming from state file. 2. log_num can be larger then we get data corruption again with an overflow but not adversary controlled. Fix both issues. Reported-by: NAnthony Liguori <anthony@codemonkey.ws> Reported-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 5f691ff9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4527 hw/timer/hpet.c buffer overrun hpet is a VARRAY with a uint8 size but static array of 32 To fix, make sure num_timers is valid using VMSTATE_VALID hook. Reported-by: NAnthony Liguori <anthony@codemonkey.ws> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 3f1c49e2) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4526 Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: NAnthony Liguori <anthony@codemonkey.ws> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit ae2158ad) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c > } else if (n->mac_table.in_use) { > uint8_t *buf = g_malloc0(n->mac_table.in_use); We are allocating buffer of size n->mac_table.in_use > qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); and read to the n->mac_table.in_use size buffer n->mac_table.in_use * ETH_ALEN bytes, corrupting memory. If adversary controls state then memory written there is controlled by adversary. Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 98f93ddd) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c This code is in hw/net/virtio-net.c: if (n->max_queues > 1) { if (n->max_queues != qemu_get_be16(f)) { error_report("virtio-net: different max_queues "); return -1; } n->curr_queues = qemu_get_be16(f); for (i = 1; i < n->curr_queues; i++) { n->vqs[i].tx_waiting = qemu_get_be32(f); } } Number of vqs is max_queues, so if we get invalid input here, for example if max_queues = 2, curr_queues = 3, we get write beyond end of the buffer, with data that comes from wire. This might be used to corrupt qemu memory in hard to predict ways. Since we have lots of function pointers around, RCE might be possible. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit eea750a5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4148 QEMU 1.0 integer conversion in virtio_net_load()@hw/net/virtio-net.c Deals with loading a corrupted savevm image. > n->mac_table.in_use = qemu_get_be32(f); in_use is int so it can get negative when assigned 32bit unsigned value. > /* MAC_TABLE_ENTRIES may be different from the saved image */ > if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { passing this check ^^^ > qemu_get_buffer(f, n->mac_table.macs, > n->mac_table.in_use * ETH_ALEN); with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get positive and bigger than mac_table.macs. For example 0x81000000 satisfies this condition when ETH_ALEN is 6. Fix it by making the value unsigned. For consistency, change first_multi as well. Note: all call sites were audited to confirm that making them unsigned didn't cause any issues: it turns out we actually never do math on them, so it's easy to validate because both values are always <= MAC_TABLE_ENTRIES. Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NLaszlo Ersek <lersek@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 71f7fe48) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit 4082f088) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-