vmstate: fix buffer overflow in target-arm/machine.c

CVE-2013-4531 cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for cpreg_vmstate_array_len will cause a buffer overflow. VMSTATE_INT32_LE was supposed to protect against this but doesn't because it doesn't validate that input is non-negative. Fix this macro to valide the value appropriately. The only other user of VMSTATE_INT32_LE doesn't ever use negative numbers so it doesn't care. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> (cherry picked from commit d2ef4b6) Conflicts: vmstate.c *removed dependency on b6fcfa5 (Move VMState code to vmstate.c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
qemu · Jun 26, 2014 · 630ebef · 630ebef
1 parent a2b4e84
commit 630ebef
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/savevm.c b/savevm.c
@@ -1111,16 +1111,17 @@ const VMStateInfo vmstate_info_int32_equal = {
     .put  = put_int32,
 };
 
-/* 32 bit int. Check that the received value is less than or equal to
-   the one in the field */
+/* 32 bit int. Check that the received value is non-negative
+ * and less than or equal to the one in the field.
+ */
 
 static int get_int32_le(QEMUFile *f, void *pv, size_t size)
 {
     int32_t *cur = pv;
     int32_t loaded;
     qemu_get_sbe32s(f, &loaded);
 
-    if (loaded <= *cur) {
+    if (loaded >= 0 && loaded <= *cur) {
         *cur = loaded;
         return 0;
     }