qemu/hw/net
Michael S. Tsirkin 98f93ddd84 virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
..
fsl_etsec FSL eTSEC: Fix typo in rx ring 2014-03-15 13:54:18 +04:00
allwinner_emac.c allwinner-emac: update irq status after writes to interrupt registers 2014-04-17 21:34:06 +01:00
cadence_gem.c net: cadence_gem: Make phy respond to broadcast 2014-04-17 21:34:07 +01:00
dp8393x.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
e1000_regs.h
e1000.c Revert "e1000/rtl8139: update HMP NIC when every bit is written" 2013-11-21 16:28:27 +02:00
eepro100.c hw: set interrupts using pci irq wrappers 2013-10-14 17:11:45 +03:00
etraxfs_eth.c hw: cannot_instantiate_with_device_add_yet due to pointer props 2013-12-24 17:27:17 +01:00
lan9118.c Fix lan9118 buffer length handling 2014-01-27 15:44:06 +01:00
lance.c hw: cannot_instantiate_with_device_add_yet due to pointer props 2013-12-24 17:27:17 +01:00
Makefile.objs Add Enhanced Three-Speed Ethernet Controller (eTSEC) 2014-03-05 03:06:45 +01:00
mcf_fec.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
milkymist-minimac2.c milkymist-minimac2: QOM cast cleanup 2013-07-29 21:06:59 +02:00
mipsnet.c mipsnet: QOM cast cleanup 2013-07-29 21:07:02 +02:00
ne2000-isa.c qdev: Remove hex8/32/64 property types 2014-02-14 21:12:04 +01:00
ne2000.c bswap.h: Remove le32_to_cpupu() 2013-11-05 19:57:46 -08:00
ne2000.h ne2000: pass device to ne2000_setup_io, use it as owner 2013-07-04 17:42:46 +02:00
opencores_eth.c opencores_eth: flush queue whenever can_receive can go from false to true 2014-02-25 11:50:16 +01:00
pcnet-pci.c pci, pc, acpi fixes, enhancements 2013-10-31 16:58:32 +01:00
pcnet.c pcnet: remove duplicate assignment 2014-04-25 13:40:03 +02:00
pcnet.h
rtl8139.c Revert "e1000/rtl8139: update HMP NIC when every bit is written" 2013-11-21 16:28:27 +02:00
smc91c111.c smc91c111: Fix receive starvation 2013-11-15 13:25:39 +01:00
spapr_llan.c spapr_llan: Add to boot device list 2014-03-20 02:40:13 +01:00
stellaris_enet.c hw/net/stellaris_enet: Avoid unintended sign extension 2014-02-26 17:19:58 +00:00
vhost_net.c vhost_net: use offload API instead of bypassing it 2014-02-25 14:31:05 +01:00
virtio-net.c virtio-net: out-of-bounds buffer write on load 2014-05-05 22:15:03 +02:00
vmware_utils.h exec: Make stb_phys input an AddressSpace 2014-02-11 22:57:38 +10:00
vmxnet3.c vmxnet3: validate queues configuration read on migration 2014-04-14 11:50:56 +01:00
vmxnet3.h vmxnet3: Eliminate __packed redefined warning 2013-09-06 17:25:55 +02:00
vmxnet_debug.h
vmxnet_rx_pkt.c
vmxnet_rx_pkt.h
vmxnet_tx_pkt.c misc: Use g_assert_not_reached for code which is expected to be unreachable 2013-07-27 11:22:54 +04:00
vmxnet_tx_pkt.h
xen_nic.c
xgmac.c xgmac: QOM cast cleanup 2013-07-29 21:07:00 +02:00
xilinx_axienet.c trivial patches for 2014-04-28 2014-04-28 13:43:17 +01:00
xilinx_ethlite.c xilinx_ethlite: QOM cast cleanup 2013-07-29 21:07:00 +02:00