ahci: fix buffer overrun on invalid state load

CVE-2013-4526 Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com> (cherry picked from commit ae2158ad6c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2014-04-03 19:51:18 +03:00 · 2014-04-03 19:51:18 +03:00 · d34e6f7960
parent 5544b7e419
commit d34e6f7960
1 changed files with 1 additions and 1 deletions
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@ -1290,7 +1290,7 @@ const VMStateDescription vmstate_ahci = {
        VMSTATE_UINT32(control_regs.impl, AHCIState),
        VMSTATE_UINT32(control_regs.version, AHCIState),
        VMSTATE_UINT32(idp_index, AHCIState),
-        VMSTATE_INT32(ports, AHCIState),
+        VMSTATE_INT32_EQUAL(ports, AHCIState),
        VMSTATE_END_OF_LIST()
    },
 };