Google Git
Sign in
qemu / qemu / 64ffbe04eaafebf4045a3ace52a360c14959d196
commit64ffbe04eaafebf4045a3ace52a360c14959d196[log] [tgz]
authorWolfgang Bumiller <w.bumiller@proxmox.com>Wed Jan 13 09:09:58 2016 +0100
committerMarkus Armbruster <armbru@redhat.com>Wed Feb 03 10:13:06 2016 +0100
tree57ccddbc02a6c706c89ff44f78ee62f65f9d397c
parentc65db7705b7926f4a084b93778e4bd5dd3990aad [diff]
hmp: fix sendkey out of bounds write (CVE-2015-8619)

When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.

Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
3 files changed
tree: 57ccddbc02a6c706c89ff44f78ee62f65f9d397c
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. contrib/
  6. crypto/
  7. default-configs/
  8. disas/
  9. docs/
  10. fpu/
  11. fsdev/
  12. gdb-xml/
  13. hw/
  14. include/
  15. io/
  16. libdecnumber/
  17. linux-headers/
  18. linux-user/
  19. migration/
  20. nbd/
  21. net/
  22. pc-bios/
  23. po/
  24. qapi/
  25. qga/
  26. qobject/
  27. qom/
  28. replay/
  29. roms/
  30. scripts/
  31. slirp/
  32. stubs/
  33. target-alpha/
  34. target-arm/
  35. target-cris/
  36. target-i386/
  37. target-lm32/
  38. target-m68k/
  39. target-microblaze/
  40. target-mips/
  41. target-moxie/
  42. target-openrisc/
  43. target-ppc/
  44. target-s390x/
  45. target-sh4/
  46. target-sparc/
  47. target-tilegx/
  48. target-tricore/
  49. target-unicore32/
  50. target-xtensa/
  51. tcg/
  52. tests/
  53. trace/
  54. ui/
  55. util/
  56. dtc
  57. pixman
  58. .dir-locals.el
  59. .exrc
  60. .gitignore
  61. .gitmodules
  62. .mailmap
  63. .travis.yml
  64. accel.c
  65. aio-posix.c
  66. aio-win32.c
  67. arch_init.c
  68. async.c
  69. balloon.c
  70. block.c
  71. blockdev-nbd.c
  72. blockdev.c
  73. blockjob.c
  74. bootdevice.c
  75. bt-host.c
  76. bt-vhci.c
  77. Changelog
  78. CODING_STYLE
  79. configure
  80. COPYING
  81. COPYING.LIB
  82. cpu-exec-common.c
  83. cpu-exec.c
  84. cpus.c
  85. cputlb.c
  86. device-hotplug.c
  87. device_tree.c
  88. disas.c
  89. dma-helpers.c
  90. dump.c
  91. exec.c
  92. gdbstub.c
  93. HACKING
  94. hmp-commands-info.hx
  95. hmp-commands.hx
  96. hmp.c
  97. hmp.h
  98. iohandler.c
  99. ioport.c
  100. iothread.c
  101. kvm-all.c
  102. kvm-stub.c
  103. LICENSE
  104. main-loop.c
  105. MAINTAINERS
  106. Makefile
  107. Makefile.objs
  108. Makefile.target
  109. memory.c
  110. memory_mapping.c
  111. module-common.c
  112. monitor.c
  113. numa.c
  114. os-posix.c
  115. os-win32.c
  116. page_cache.c
  117. qapi-schema.json
  118. qdev-monitor.c
  119. qdict-test-data.txt
  120. qemu-bridge-helper.c
  121. qemu-char.c
  122. qemu-doc.texi
  123. qemu-ga.texi
  124. qemu-img-cmds.hx
  125. qemu-img.c
  126. qemu-img.texi
  127. qemu-io-cmds.c
  128. qemu-io.c
  129. qemu-log.c
  130. qemu-nbd.c
  131. qemu-nbd.texi
  132. qemu-options-wrapper.h
  133. qemu-options.h
  134. qemu-options.hx
  135. qemu-seccomp.c
  136. qemu-tech.texi
  137. qemu-timer.c
  138. qemu.nsi
  139. qemu.sasl
  140. qjson.c
  141. qmp-commands.hx
  142. qmp.c
  143. qtest.c
  144. README
  145. rules.mak
  146. softmmu_template.h
  147. spice-qemu-char.c
  148. tcg-runtime.c
  149. tci.c
  150. thread-pool.c
  151. thunk.c
  152. tpm.c
  153. trace-events
  154. translate-all.c
  155. translate-all.h
  156. translate-common.c
  157. user-exec.c
  158. VERSION
  159. version.rc
  160. vl.c
  161. xen-common-stub.c
  162. xen-common.c
  163. xen-hvm-stub.c
  164. xen-hvm.c
  165. xen-mapcache.c