qemu/hw/intc
Michael Roth 73d963c0a7 openpic: avoid buffer overrun on incoming migration
CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
..
allwinner-a10-pic.c allwinner-a10-pic: fix behaviour of pending register 2014-04-17 21:34:06 +01:00
apic_common.c trace: add workaround for SystemTap PR13296 2014-04-01 20:08:25 +02:00
apic.c misc: Use cpu_physical_memory_read and cpu_physical_memory_write 2014-04-27 13:04:18 +04:00
arm_gic_common.c arm_gic: Add GICC_APRn state to the GICState 2014-02-08 14:50:48 +00:00
arm_gic_kvm.c misc: Fix typos in comments 2014-03-15 13:54:18 +04:00
arm_gic.c hw/intc/arm_gic: Fix NVIC assertion failure 2014-02-20 10:35:48 +00:00
armv7m_nvic.c armv7m_nvic: fix CPUID Base Register 2014-05-01 15:24:44 +01:00
etraxfs_pic.c hw: cannot_instantiate_with_device_add_yet due to pointer props 2013-12-24 17:27:17 +01:00
exynos4210_combiner.c hw/intc/exynos4210_combiner: Don't overrun output_irq array in init 2014-02-26 17:19:58 +00:00
exynos4210_gic.c exynos4210_gic: QOM cast cleanup for exynos4210.irq_gate 2013-07-29 21:06:57 +02:00
gic_internal.h hw/intc/arm_gic: Fix GIC_SET_LEVEL 2014-02-26 17:19:59 +00:00
grlib_irqmp.c hw: cannot_instantiate_with_device_add_yet due to pointer props 2013-12-24 17:27:17 +01:00
heathrow_pic.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
i8259_common.c qdev: Remove hex8/32/64 property types 2014-02-14 21:12:04 +01:00
i8259.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
imx_avic.c imx_avic: QOM cast cleanup 2013-07-29 21:06:05 +02:00
ioapic_common.c ioapic: QOM'ify ioapic 2013-12-24 18:02:18 +01:00
ioapic.c qemu: x86: ignore ioapic polarity 2014-03-09 21:09:38 +02:00
lm32_pic.c lm32_pic: QOM cast cleanup 2013-07-29 21:06:57 +02:00
Makefile.objs s390x/kvm: implement floating-interrupt controller device 2014-02-27 09:51:25 +01:00
omap_intc.c hw: cannot_instantiate_with_device_add_yet due to pointer props 2013-12-24 17:27:17 +01:00
openpic_kvm.c ppc: use kvm_vcpu_enable_cap() 2014-04-30 14:39:58 +02:00
openpic.c openpic: avoid buffer overrun on incoming migration 2014-05-05 22:15:03 +02:00
pl190.c sysbus: Set cannot_instantiate_with_device_add_yet 2013-12-23 00:27:22 +01:00
puv3_intc.c puv3_intc: QOM cast cleanup 2013-07-29 21:06:58 +02:00
realview_gic.c realview_gic: Prepare for QOM embedding 2013-11-05 17:47:30 +01:00
s390_flic.c s390x/async_pf: Check for apf extension and enable pfault 2014-02-27 09:51:25 +01:00
sh_intc.c cpu: Make first_cpu and next_cpu CPUState 2013-07-09 21:32:54 +02:00
slavio_intctl.c hw/intc/slavio_intctl: Avoid shifting left into sign bit 2014-03-27 19:22:49 +04:00
xics_kvm.c ppc: use kvm_vcpu_enable_cap() 2014-04-30 14:39:58 +02:00
xics.c target-ppc: spapr: e500: fix to use cpu_dt_id 2014-03-05 03:07:04 +01:00
xilinx_intc.c hw/intc/xilinx_intc: Avoid shifting left into sign bit 2014-03-27 19:22:49 +04:00