qemu/hw/timer
Michael S. Tsirkin 3f1c49e213 hpet: fix buffer overrun on invalid state load
CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
..
a9gtimer.c hw/timer: Introduce ARM A9 Global Timer. 2013-12-10 13:24:51 +00:00
allwinner-a10-pit.c allwinner-a10-pit: implement prescaler and source selection 2014-04-17 21:34:06 +01:00
arm_mptimer.c sysbus: Set cannot_instantiate_with_device_add_yet 2013-12-23 00:27:22 +01:00
arm_timer.c hw/timer/arm_timer: Avoid array overrun for bad addresses 2014-02-26 17:19:58 +00:00
cadence_ttc.c timer: cadence_ttc: Fix match register write logic 2014-04-17 21:34:06 +01:00
digic-timer.c hw/arm/digic: add timer support 2013-12-17 20:12:51 +00:00
ds1338.c ds1338: QOM'ify 2014-02-14 16:22:32 +01:00
etraxfs_timer.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
exynos4210_mct.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
exynos4210_pwm.c aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
exynos4210_rtc.c misc: Fix some typos in names and comments 2013-09-01 18:59:24 +04:00
grlib_gptimer.c hw/timer/grlib_gptimer: remove unnecessary assignment 2014-03-27 19:22:49 +04:00
hpet.c hpet: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00
i8254_common.c isa: Clean up use of cannot_instantiate_with_device_add_yet 2013-12-23 00:27:23 +01:00
i8254.c qdev: Remove hex8/32/64 property types 2014-02-14 21:12:04 +01:00
imx_epit.c aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
imx_gpt.c aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
lm32_timer.c aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
m48t59.c qdev: Remove hex8/32/64 property types 2014-02-14 21:12:04 +01:00
Makefile.objs hw/timer: add allwinner a10 timer 2013-12-17 20:12:51 +00:00
mc146818rtc.c qdev: Add enum property types to QAPI schema 2014-02-14 21:12:05 +01:00
milkymist-sysctl.c milkymist-sysctl: QOM cast cleanup 2013-07-29 21:07:01 +02:00
omap_gptimer.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
omap_synctimer.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
pl031.c sysbus: Set cannot_instantiate_with_device_add_yet 2013-12-23 00:27:22 +01:00
puv3_ost.c aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
pxa2xx_timer.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
sh_timer.c aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
slavio_timer.c sun4m: fix slavio timer RUN/STOP bit 2014-02-27 10:01:41 +00:00
tusb6010.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
twl92230.c twl92230: QOM'ify 2014-02-14 16:22:32 +01:00
xilinx_timer.c aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00