mirror of
https://github.com/qemu/qemu.git
synced 2024-11-26 21:33:40 +08:00
ahci: fix buffer overrun on invalid state load
CVE-2013-4526 Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
This commit is contained in:
parent
cc45995294
commit
ae2158ad6c
@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
|
||||
VMSTATE_UINT32(control_regs.impl, AHCIState),
|
||||
VMSTATE_UINT32(control_regs.version, AHCIState),
|
||||
VMSTATE_UINT32(idp_index, AHCIState),
|
||||
VMSTATE_INT32(ports, AHCIState),
|
||||
VMSTATE_INT32_EQUAL(ports, AHCIState),
|
||||
VMSTATE_END_OF_LIST()
|
||||
},
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user