Files · 0be839a2701369f669532ea5884c15bead1c6e08 · Anton / libtcg

migration: fix parameter validation on ram load

Michael S. Tsirkin authored 10 years ago

During migration, the values read from migration stream during ram load
are not validated. Especially offset in host_from_stream_offset() and
also the length of the writes in the callers of said function.

To fix this, we need to make sure that the [offset, offset + length]
range fits into one of the allocated memory regions.

Validating addr < len should be sufficient since data seems to always be
managed in TARGET_PAGE_SIZE chunks.

Fixes: CVE-2014-7840

Note: follow-up patches add extra checks on each block->host access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>

0be839a2

History

0be839a2 10 years ago

History

Name	Last commit	Last update
audio
backends
block
bsd-user
default-configs
disas
docs
fpu
fsdev
gdb-xml
hw
include
libcacard
libdecnumber
linux-headers
linux-user
net
pc-bios
po
qapi
qga
qobject
qom
roms
scripts
slirp
stubs
sysconfigs/target
target-alpha
target-arm
target-cris
target-i386
target-lm32
target-m68k
target-microblaze
target-mips
target-moxie
target-openrisc
target-ppc
target-s390x
target-sh4
target-sparc
target-tricore
target-unicore32
target-xtensa
tcg
tests
trace
ui
util
.exrc
.gitignore
.gitmodules
.mailmap
.travis.yml
CODING_STYLE
COPYING
COPYING.LIB
Changelog
HACKING
LICENSE
MAINTAINERS
Makefile
Makefile.objs
Makefile.target
README
VERSION
accel.c
aio-posix.c
aio-win32.c
arch_init.c
async.c
balloon.c
block-migration.c
block.c
blockdev-nbd.c
blockdev.c
blockjob.c
bootdevice.c
bt-host.c
bt-vhci.c
configure
coroutine-gthread.c
coroutine-sigaltstack.c
coroutine-ucontext.c
coroutine-win32.c
cpu-exec.c
cpus.c
cputlb.c
device-hotplug.c
device_tree.c
disas.c
dma-helpers.c
dump.c
exec.c
gdbstub.c
hmp-commands.hx
hmp.c
hmp.h
iohandler.c

README