falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
qemu-irix/hw/virtio
History
Michael S. Tsirkin 68801b7be1 virtio: validate num_sg when mapping 
CVE-2013-4535
CVE-2013-4536

Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.

Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 36cf2a3713)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
 		2014-06-26 14:18:51 -05:00
..
dataplane virtio: clear signalled_used_valid when switching from dataplane 2013-08-12 12:19:04 +03:00
Makefile.objs virtio: Implement MMIO based virtio transport 2013-07-19 12:58:47 +01:00
vhost.c vhost: clear signalled_used_valid on vhost stop 2013-08-12 12:25:17 +03:00
virtio-balloon.c virtio-balloon: switch exit callback to VirtioDeviceClass 2014-02-20 21:36:15 -06:00
virtio-bus.c virtio-bus: cleanup plug/unplug interface 2014-02-20 21:36:15 -06:00
virtio-mmio.c virtio-bus: remove vdev field 2014-02-20 21:36:14 -06:00
virtio-pci.c virtio-pci: add device_unplugged callback 2014-02-20 21:36:15 -06:00
virtio-pci.h virtio-pci: remove vdev field 2014-02-20 21:36:15 -06:00
virtio-rng.c virtio-rng: switch exit callback to VirtioDeviceClass 2014-02-20 21:36:15 -06:00
virtio.c virtio: validate num_sg when mapping 2014-06-26 14:18:51 -05:00