qemu-irix

History

Michael S. Tsirkin 5544b7e419 virtio: out-of-bounds buffer write on invalid state load CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in virtio_load@hw/virtio/virtio.c So we have this code since way back when: num = qemu_get_be32(f); for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); array of vqs has size VIRTIO_PCI_QUEUE_MAX, so on invalid input this will write beyond end of buffer. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Juan Quintela <quintela@redhat.com> (cherry picked from commit `cc45995294`) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>		2014-06-26 14:00:35 -05:00
..
dataplane	virtio: clear signalled_used_valid when switching from dataplane	2013-08-12 12:19:04 +03:00
Makefile.objs	virtio: Implement MMIO based virtio transport	2013-07-19 12:58:47 +01:00
vhost.c	vhost: clear signalled_used_valid on vhost stop	2013-08-12 12:25:17 +03:00
virtio-balloon.c	virtio-balloon: switch exit callback to VirtioDeviceClass	2014-02-20 21:36:15 -06:00
virtio-bus.c	virtio-bus: cleanup plug/unplug interface	2014-02-20 21:36:15 -06:00
virtio-mmio.c	virtio-bus: remove vdev field	2014-02-20 21:36:14 -06:00
virtio-pci.c	virtio-pci: add device_unplugged callback	2014-02-20 21:36:15 -06:00
virtio-pci.h	virtio-pci: remove vdev field	2014-02-20 21:36:15 -06:00
virtio-rng.c	virtio-rng: switch exit callback to VirtioDeviceClass	2014-02-20 21:36:15 -06:00
virtio.c	virtio: out-of-bounds buffer write on invalid state load	2014-06-26 14:00:35 -05:00