mirror of
https://github.com/qemu/qemu.git
synced 2024-12-16 16:53:28 +08:00
cc45995294
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in virtio_load@hw/virtio/virtio.c So we have this code since way back when: num = qemu_get_be32(f); for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); array of vqs has size VIRTIO_PCI_QUEUE_MAX, so on invalid input this will write beyond end of buffer. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Juan Quintela <quintela@redhat.com> |
||
---|---|---|
.. | ||
dataplane | ||
Makefile.objs | ||
vhost.c | ||
virtio-balloon.c | ||
virtio-bus.c | ||
virtio-mmio.c | ||
virtio-pci.c | ||
virtio-pci.h | ||
virtio-rng.c | ||
virtio.c |