Michael S. Tsirkin eea750a562 virtio-net: out-of-bounds buffer write on invalid state load ... CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c This code is in hw/net/virtio-net.c: if (n->max_queues > 1) { if (n->max_queues != qemu_get_be16(f)) { error_report("virtio-net: different max_queues "); return -1; } n->curr_queues = qemu_get_be16(f); for (i = 1; i < n->curr_queues; i++) { n->vqs[i].tx_waiting = qemu_get_be32(f); } } Number of vqs is max_queues, so if we get invalid input here, for example if max_queues = 2, curr_queues = 3, we get write beyond end of the buffer, with data that comes from wire. This might be used to corrupt qemu memory in hard to predict ways. Since we have lots of function pointers around, RCE might be possible. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Juan Quintela <quintela@redhat.com>		2014-05-05 14:15:10 +02:00
..
fsl_etsec	FSL eTSEC: Fix typo in rx ring	2014-03-15 13:54:18 +04:00
allwinner_emac.c	allwinner-emac: update irq status after writes to interrupt registers	2014-04-17 21:34:06 +01:00
cadence_gem.c	net: cadence_gem: Make phy respond to broadcast	2014-04-17 21:34:07 +01:00
dp8393x.c	aio / timers: Switch entire codebase to the new timer API	2013-08-22 19:14:24 +02:00
e1000_regs.h	hw: move private headers to hw/ subdirectories.	2013-04-08 18:13:16 +02:00
e1000.c	Revert "e1000/rtl8139: update HMP NIC when every bit is written"	2013-11-21 16:28:27 +02:00
eepro100.c	hw: set interrupts using pci irq wrappers	2013-10-14 17:11:45 +03:00
etraxfs_eth.c	hw: cannot_instantiate_with_device_add_yet due to pointer props	2013-12-24 17:27:17 +01:00
lan9118.c	Fix lan9118 buffer length handling	2014-01-27 15:44:06 +01:00
lance.c	hw: cannot_instantiate_with_device_add_yet due to pointer props	2013-12-24 17:27:17 +01:00
Makefile.objs	Add Enhanced Three-Speed Ethernet Controller (eTSEC)	2014-03-05 03:06:45 +01:00
mcf_fec.c	memory: add owner argument to initialization functions	2013-07-04 17:42:44 +02:00
milkymist-minimac2.c	milkymist-minimac2: QOM cast cleanup	2013-07-29 21:06:59 +02:00
mipsnet.c	mipsnet: QOM cast cleanup	2013-07-29 21:07:02 +02:00
ne2000-isa.c	qdev: Remove hex8/32/64 property types	2014-02-14 21:12:04 +01:00
ne2000.c	bswap.h: Remove le32_to_cpupu()	2013-11-05 19:57:46 -08:00
ne2000.h	ne2000: pass device to ne2000_setup_io, use it as owner	2013-07-04 17:42:46 +02:00
opencores_eth.c	opencores_eth: flush queue whenever can_receive can go from false to true	2014-02-25 11:50:16 +01:00
pcnet-pci.c	pci, pc, acpi fixes, enhancements	2013-10-31 16:58:32 +01:00
pcnet.c	pcnet: remove duplicate assignment	2014-04-25 13:40:03 +02:00
pcnet.h	hw: move private headers to hw/ subdirectories.	2013-04-08 18:13:16 +02:00
rtl8139.c	Revert "e1000/rtl8139: update HMP NIC when every bit is written"	2013-11-21 16:28:27 +02:00
smc91c111.c	smc91c111: Fix receive starvation	2013-11-15 13:25:39 +01:00
spapr_llan.c	spapr_llan: Add to boot device list	2014-03-20 02:40:13 +01:00
stellaris_enet.c	hw/net/stellaris_enet: Avoid unintended sign extension	2014-02-26 17:19:58 +00:00
vhost_net.c	vhost_net: use offload API instead of bypassing it	2014-02-25 14:31:05 +01:00
virtio-net.c	virtio-net: out-of-bounds buffer write on invalid state load	2014-05-05 14:15:10 +02:00
vmware_utils.h	exec: Make stb_phys input an AddressSpace	2014-02-11 22:57:38 +10:00
vmxnet3.c	vmxnet3: validate queues configuration read on migration	2014-04-14 11:50:56 +01:00
vmxnet3.h	vmxnet3: Eliminate __packed redefined warning	2013-09-06 17:25:55 +02:00
vmxnet_debug.h
vmxnet_rx_pkt.c
vmxnet_rx_pkt.h
vmxnet_tx_pkt.c	misc: Use g_assert_not_reached for code which is expected to be unreachable	2013-07-27 11:22:54 +04:00
vmxnet_tx_pkt.h
xen_nic.c
xgmac.c	xgmac: QOM cast cleanup	2013-07-29 21:07:00 +02:00
xilinx_axienet.c	trivial patches for 2014-04-28	2014-04-28 13:43:17 +01:00
xilinx_ethlite.c	xilinx_ethlite: QOM cast cleanup	2013-07-29 21:07:00 +02:00