From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:25 +0300
Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
---
hw/usb/bus.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index f83d1de..c6c2005 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -47,6 +47,12 @@ static int usb_device_post_load(void *opaque, int version_id)
} else {
dev->attached = 1;
}
+ if (dev->setup_index < 0 ||
+ dev->setup_len < 0 ||
+ dev->setup_index >= sizeof(dev->data_buf) ||
+ dev->setup_len >= sizeof(dev->data_buf)) {
+ return -EINVAL;
+ }
return 0;
}
distrib
>
Mageia
>
4
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
405ecbfd47707aaab6090c273e001faa
>
files
>
114
