Google Git
Sign in
qemu / qemu / 13b250b12ad3c59114a6a17d59caf073ce45b33a
commit13b250b12ad3c59114a6a17d59caf073ce45b33a[log] [tgz]
authorGerd Hoffmann <kraxel@redhat.com>Wed Aug 18 14:05:05 2021 +0200
committerGerd Hoffmann <kraxel@redhat.com>Wed Sep 01 06:34:00 2021 +0200
tree0f79d14314c1c36f499a29e2eedaf5ff5b7626c9
parentad22d0583300df420819e6c89b1c022b998fac8a [diff]
uas: add stream number sanity checks.

The device uses the guest-supplied stream number unchecked, which can
lead to guest-triggered out-of-band access to the UASDevice->data3 and
UASDevice->status3 fields.  Add the missing checks.

Fixes: CVE-2021-3713
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reported-by: Chen Zhe <chenzhe@huawei.com>
Reported-by: Tan Jingguo <tanjingguo@huawei.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
1 file changed
tree: 0f79d14314c1c36f499a29e2eedaf5ff5b7626c9
  1. .github/
  2. .gitlab/
  3. .gitlab-ci.d/
  4. accel/
  5. audio/
  6. authz/
  7. backends/
  8. block/
  9. bsd-user/
  10. chardev/
  11. configs/
  12. contrib/
  13. crypto/
  14. disas/
  15. docs/
  16. dump/
  17. ebpf/
  18. fpu/
  19. fsdev/
  20. gdb-xml/
  21. hw/
  22. include/
  23. io/
  24. libdecnumber/
  25. linux-headers/
  26. linux-user/
  27. migration/
  28. monitor/
  29. nbd/
  30. net/
  31. pc-bios/
  32. plugins/
  33. po/
  34. python/
  35. qapi/
  36. qga/
  37. qobject/
  38. qom/
  39. replay/
  40. roms/
  41. scripts/
  42. scsi/
  43. semihosting/
  44. softmmu/
  45. storage-daemon/
  46. stubs/
  47. subprojects/
  48. target/
  49. tcg/
  50. tests/
  51. tools/
  52. trace/
  53. ui/
  54. util/
  55. capstone
  56. dtc
  57. meson
  58. slirp
  59. .cirrus.yml
  60. .dir-locals.el
  61. .editorconfig
  62. .exrc
  63. .gdbinit
  64. .gitattributes
  65. .gitignore
  66. .gitlab-ci.yml
  67. .gitmodules
  68. .gitpublish
  69. .mailmap
  70. .patchew.yml
  71. .readthedocs.yml
  72. .travis.yml
  73. block.c
  74. blockdev-nbd.c
  75. blockdev.c
  76. blockjob.c
  77. configure
  78. COPYING
  79. COPYING.LIB
  80. cpu.c
  81. cpus-common.c
  82. disas.c
  83. gdbstub.c
  84. gitdm.config
  85. hmp-commands-info.hx
  86. hmp-commands.hx
  87. iothread.c
  88. job-qmp.c
  89. job.c
  90. Kconfig
  91. Kconfig.host
  92. LICENSE
  93. MAINTAINERS
  94. Makefile
  95. memory_ldst.c.inc
  96. meson.build
  97. meson_options.txt
  98. module-common.c
  99. os-posix.c
  100. os-win32.c
  101. page-vary-common.c
  102. page-vary.c
  103. qemu-bridge-helper.c
  104. qemu-edid.c
  105. qemu-img-cmds.hx
  106. qemu-img.c
  107. qemu-io-cmds.c
  108. qemu-io.c
  109. qemu-keymap.c
  110. qemu-nbd.c
  111. qemu-options.hx
  112. qemu.nsi
  113. qemu.sasl
  114. README.rst
  115. replication.c
  116. thunk.c
  117. trace-events
  118. VERSION
  119. version.rc