david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
QEMU-Nyx-fork/hw/virtio
History
Michael S. Tsirkin a890a2f913 virtio: validate config_len on load 
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

--

v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
..
dataplane
dataplane: fix shadowed return value
2014-01-22 13:48:18 +01:00
Makefile.objs
virtio: Implement MMIO based virtio transport
2013-07-19 12:58:47 +01:00
vhost.c
vhost: clear signalled_used_valid on vhost stop
2013-08-12 12:25:17 +03:00
virtio-balloon.c
virtio-balloon: don't hardcode config size value
2014-01-15 23:34:17 +04:00
virtio-bus.c
virtio-bus: cleanup plug/unplug interface
2013-12-09 21:46:48 +01:00
virtio-mmio.c
virtio-bus: remove vdev field
2013-12-09 21:46:48 +01:00
virtio-pci.c
qom: Add check() argument to object_property_add_link()
2014-03-19 22:23:13 +01:00
virtio-pci.h
virtio-pci: remove vdev field
2013-12-09 21:46:48 +01:00
virtio-rng.c
virtio-rng: Avoid default_backend refcount leak
2014-03-19 22:23:47 +01:00
virtio.c
virtio: validate config_len on load
2014-05-05 22:15:03 +02:00