Google Git
Sign in
qemu / qemu / 98f93ddd84800f207889491e0b5d851386b459cf
commit98f93ddd84800f207889491e0b5d851386b459cf[log] [tgz]
authorMichael S. Tsirkin <mst@redhat.com>Mon Apr 28 16:08:21 2014 +0300
committerJuan Quintela <quintela@redhat.com>Mon May 05 22:15:03 2014 +0200
tree085acc36e1693aca021848f1b2de9d2bbe0c5dda
parent73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e [diff]
virtio-net: out-of-bounds buffer write on load

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
1 file changed
tree: 085acc36e1693aca021848f1b2de9d2bbe0c5dda
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. default-configs/
  6. disas/
  7. docs/
  8. fpu/
  9. fsdev/
  10. gdb-xml/
  11. hw/
  12. include/
  13. libcacard/
  14. linux-headers/
  15. linux-user/
  16. net/
  17. pc-bios/
  18. po/
  19. qapi/
  20. qga/
  21. qobject/
  22. qom/
  23. roms/
  24. scripts/
  25. slirp/
  26. stubs/
  27. sysconfigs/
  28. target-alpha/
  29. target-arm/
  30. target-cris/
  31. target-i386/
  32. target-lm32/
  33. target-m68k/
  34. target-microblaze/
  35. target-mips/
  36. target-moxie/
  37. target-openrisc/
  38. target-ppc/
  39. target-s390x/
  40. target-sh4/
  41. target-sparc/
  42. target-unicore32/
  43. target-xtensa/
  44. tcg/
  45. tests/
  46. trace/
  47. ui/
  48. util/
  49. dtc
  50. pixman
  51. .exrc
  52. .gitignore
  53. .gitmodules
  54. .mailmap
  55. .travis.yml
  56. aio-posix.c
  57. aio-win32.c
  58. arch_init.c
  59. async.c
  60. balloon.c
  61. block-migration.c
  62. block.c
  63. blockdev-nbd.c
  64. blockdev.c
  65. blockjob.c
  66. bt-host.c
  67. bt-vhci.c
  68. Changelog
  69. CODING_STYLE
  70. configure
  71. COPYING
  72. COPYING.LIB
  73. coroutine-gthread.c
  74. coroutine-sigaltstack.c
  75. coroutine-ucontext.c
  76. coroutine-win32.c
  77. cpu-exec.c
  78. cpus.c
  79. cputlb.c
  80. device-hotplug.c
  81. device_tree.c
  82. disas.c
  83. dma-helpers.c
  84. dump.c
  85. exec.c
  86. gdbstub.c
  87. HACKING
  88. hmp-commands.hx
  89. hmp.c
  90. hmp.h
  91. iohandler.c
  92. ioport.c
  93. iothread.c
  94. kvm-all.c
  95. kvm-stub.c
  96. LICENSE
  97. main-loop.c
  98. MAINTAINERS
  99. Makefile
  100. Makefile.objs
  101. Makefile.target
  102. memory.c
  103. memory_mapping.c
  104. migration-exec.c
  105. migration-fd.c
  106. migration-rdma.c
  107. migration-tcp.c
  108. migration-unix.c
  109. migration.c
  110. module-common.c
  111. monitor.c
  112. nbd.c
  113. os-posix.c
  114. os-win32.c
  115. page_cache.c
  116. qapi-schema.json
  117. qdev-monitor.c
  118. qdict-test-data.txt
  119. qemu-bridge-helper.c
  120. qemu-char.c
  121. qemu-coroutine-io.c
  122. qemu-coroutine-lock.c
  123. qemu-coroutine-sleep.c
  124. qemu-coroutine.c
  125. qemu-doc.texi
  126. qemu-file.c
  127. qemu-img-cmds.hx
  128. qemu-img.c
  129. qemu-img.texi
  130. qemu-io-cmds.c
  131. qemu-io.c
  132. qemu-log.c
  133. qemu-nbd.c
  134. qemu-nbd.texi
  135. qemu-options-wrapper.h
  136. qemu-options.h
  137. qemu-options.hx
  138. qemu-seccomp.c
  139. qemu-tech.texi
  140. qemu-timer.c
  141. qemu.nsi
  142. qemu.sasl
  143. qmp-commands.hx
  144. qmp.c
  145. qtest.c
  146. README
  147. rules.mak
  148. savevm.c
  149. spice-qemu-char.c
  150. tcg-runtime.c
  151. tci.c
  152. thread-pool.c
  153. thunk.c
  154. tpm.c
  155. trace-events
  156. translate-all.c
  157. translate-all.h
  158. user-exec.c
  159. VERSION
  160. version.rc
  161. vl.c
  162. vmstate.c
  163. xbzrle.c
  164. xen-all.c
  165. xen-mapcache.c
  166. xen-stub.c