qemu/hw
Michael S. Tsirkin 98f93ddd84 virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
..
9pfs qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
acpi acpi: Assert sts array limit on AcpiCpuHotplug_add() 2014-03-18 16:08:43 +02:00
alpha exec: Make stq_*_phys input an AddressSpace 2014-02-11 22:57:12 +10:00
arm pxa2xx: avoid buffer overrun on incoming migration 2014-05-05 22:15:02 +02:00
audio hda-audio: fix non-mixer codecs 2014-04-29 10:46:29 +02:00
block block: Add errp to bdrv_new() 2014-04-22 12:00:20 +02:00
bt Preparation for usb-bt-dongle conditional build 2013-09-10 11:14:41 +02:00
char char/serial: Fix emptyness handling 2014-04-07 14:51:32 +01:00
core qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
cpu icc_bus: QOM'ify ICC 2013-12-24 18:02:18 +01:00
cris cris: Remove the CRIS PIC glue 2014-02-03 14:04:00 +00:00
display ssd0323: fix buffer overun on invalid state load 2014-05-05 22:15:02 +02:00
dma qom: Add check() argument to object_property_add_link() 2014-03-19 22:23:13 +01:00
gpio zaurus: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00
i2c Fix grammar in comment 2014-04-18 10:33:36 +04:00
i386 misc: Use cpu_physical_memory_read and cpu_physical_memory_write 2014-04-27 13:04:18 +04:00
ide ahci: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00
input tsc210x: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00
intc openpic: avoid buffer overrun on incoming migration 2014-05-05 22:15:03 +02:00
ipack ipack: Move IndustryPack out of hw/char/ 2014-02-14 21:11:53 +01:00
isa QOM infrastructure fixes and device conversions 2014-02-20 13:05:48 +00:00
lm32 hw/lm32: print error if cpu model is not found 2014-02-04 19:47:39 +01:00
m68k an5206: Don't enforce use of kernel for qtest 2013-11-05 17:47:29 +01:00
microblaze xilinx: Delete hw/include/xilinx.h 2014-02-26 14:54:45 +10:00
mips i2c: Rename i2c_bus to I2CBus 2014-02-14 16:22:31 +01:00
misc qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
moxie moxie: fix load_elf() usage 2014-03-05 03:06:46 +01:00
net virtio-net: out-of-bounds buffer write on load 2014-05-05 22:15:03 +02:00
nvram vl.c: Extend get_boot_devices_list() to ignore suffixes 2014-03-20 02:40:07 +01:00
openrisc openrisc-timer: Reduce overhead, Separate clock update functions 2013-11-20 21:46:45 +08:00
pci vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ 2014-05-05 22:15:03 +02:00
pci-bridge pci/shpc: convert SHPC hotplug to use hotplug-handler API 2014-02-10 10:27:00 +02:00
pci-host hw/pci-host/prep: Don't reverse IO accesses on bigendian hosts 2014-04-08 18:37:45 +01:00
pcmcia qom: Add check() argument to object_property_add_link() 2014-03-19 22:23:13 +01:00
ppc ppce500_spin: Initialize struct properly 2014-04-08 11:20:05 +02:00
s390x qom: Add check() argument to object_property_add_link() 2014-03-19 22:23:13 +01:00
scsi virtio-scsi: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00
sd ssi-sd: fix buffer overrun on invalid state load 2014-05-05 22:15:03 +02:00
sh4 cputlb: Change tlb_flush() argument to CPUState 2014-03-13 19:52:47 +01:00
sparc sun4m: Add Sun CG3 framebuffer initialisation function 2014-02-27 10:01:41 +00:00
sparc64 pc,pci,virtio fixes and cleanups 2013-09-03 12:31:07 -05:00
ssi pl022: fix buffer overun on invalid state load 2014-05-05 22:15:02 +02:00
timer hpet: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00
tpm aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
unicore32 console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
usb usb: sanity check setup_index+setup_len in post_load 2014-05-05 22:15:03 +02:00
virtio virtio: validate num_sg when mapping 2014-05-05 22:15:02 +02:00
watchdog qemu-option: Remove qemu_opts_create_nofail 2014-01-06 15:02:30 -05:00
xen Call pci_piix3_xen_ide_unplug from unplug_disks 2014-02-20 17:28:08 +00:00
xtensa hw/xtensa: add support for ML605 and KC705 FPGA board 2014-02-24 04:47:01 +04:00
Makefile.objs hw/9pfs: Include virtio-9p-device.o in build 2014-03-04 09:20:49 +05:30