1 From acf45756e165664f6d70025c02ddca563adee496 Mon Sep 17 00:00:00 2001
2 From: "Michael S. Tsirkin" <mst@redhat.com>
3 Date: Thu, 3 Apr 2014 19:51:42 +0300
4 Subject: [PATCH] vmstate: fix buffer overflow in target-arm/machine.c
8 cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
9 cpreg_vmstate_array_len will cause a buffer overflow.
11 VMSTATE_INT32_LE was supposed to protect against this
12 but doesn't because it doesn't validate that input is
15 Fix this macro to valide the value appropriately.
17 The only other user of VMSTATE_INT32_LE doesn't
18 ever use negative numbers so it doesn't care.
20 Reported-by: Anthony Liguori <anthony@codemonkey.ws>
21 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
22 Signed-off-by: Juan Quintela <quintela@redhat.com>
23 (cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
26 1 file changed, 4 insertions(+), 3 deletions(-)
28 diff --git a/vmstate.c b/vmstate.c
29 index d856319..105f184 100644
32 @@ -333,8 +333,9 @@ const VMStateInfo vmstate_info_int32_equal = {
36 -/* 32 bit int. Check that the received value is less than or equal to
37 - the one in the field */
38 +/* 32 bit int. Check that the received value is non-negative
39 + * and less than or equal to the one in the field.
42 static int get_int32_le(QEMUFile *f, void *pv, size_t size)
44 @@ -342,7 +343,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size)
46 qemu_get_sbe32s(f, &loaded);
48 - if (loaded <= *cur) {
49 + if (loaded >= 0 && loaded <= *cur) {