qemu/hw
Michael S. Tsirkin ae2158ad6c ahci: fix buffer overrun on invalid state load
CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
..
9pfs qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
acpi acpi: Assert sts array limit on AcpiCpuHotplug_add() 2014-03-18 16:08:43 +02:00
alpha exec: Make stq_*_phys input an AddressSpace 2014-02-11 22:57:12 +10:00
arm hw/arm/virt: Add support for Cortex-A57 2014-05-01 15:25:52 +01:00
audio hda-audio: fix non-mixer codecs 2014-04-29 10:46:29 +02:00
block block: Add errp to bdrv_new() 2014-04-22 12:00:20 +02:00
bt Preparation for usb-bt-dongle conditional build 2013-09-10 11:14:41 +02:00
char char/serial: Fix emptyness handling 2014-04-07 14:51:32 +01:00
core qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
cpu icc_bus: QOM'ify ICC 2013-12-24 18:02:18 +01:00
cris cris: Remove the CRIS PIC glue 2014-02-03 14:04:00 +00:00
display vga: add secondary stdvga variant 2014-04-28 11:03:32 +02:00
dma qom: Add check() argument to object_property_add_link() 2014-03-19 22:23:13 +01:00
gpio max7310: QOM'ify 2014-02-14 16:22:32 +01:00
i2c Fix grammar in comment 2014-04-18 10:33:36 +04:00
i386 misc: Use cpu_physical_memory_read and cpu_physical_memory_write 2014-04-27 13:04:18 +04:00
ide ahci: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00
input pckbd: return 'keyboard enabled' on read input port command 2014-03-09 21:09:38 +02:00
intc target-arm queue: 2014-05-02 11:32:00 +01:00
ipack ipack: Move IndustryPack out of hw/char/ 2014-02-14 21:11:53 +01:00
isa QOM infrastructure fixes and device conversions 2014-02-20 13:05:48 +00:00
lm32 hw/lm32: print error if cpu model is not found 2014-02-04 19:47:39 +01:00
m68k an5206: Don't enforce use of kernel for qtest 2013-11-05 17:47:29 +01:00
microblaze xilinx: Delete hw/include/xilinx.h 2014-02-26 14:54:45 +10:00
mips i2c: Rename i2c_bus to I2CBus 2014-02-14 16:22:31 +01:00
misc qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
moxie moxie: fix load_elf() usage 2014-03-05 03:06:46 +01:00
net virtio-net: out-of-bounds buffer write on invalid state load 2014-05-05 14:15:10 +02:00
nvram vl.c: Extend get_boot_devices_list() to ignore suffixes 2014-03-20 02:40:07 +01:00
openrisc openrisc-timer: Reduce overhead, Separate clock update functions 2013-11-20 21:46:45 +08:00
pci pci: Fix clearing IRQs on reset 2014-03-31 19:53:34 +01:00
pci-bridge pci/shpc: convert SHPC hotplug to use hotplug-handler API 2014-02-10 10:27:00 +02:00
pci-host hw/pci-host/prep: Don't reverse IO accesses on bigendian hosts 2014-04-08 18:37:45 +01:00
pcmcia qom: Add check() argument to object_property_add_link() 2014-03-19 22:23:13 +01:00
ppc ppce500_spin: Initialize struct properly 2014-04-08 11:20:05 +02:00
s390x qom: Add check() argument to object_property_add_link() 2014-03-19 22:23:13 +01:00
scsi scsi-bus: remove bogus assertion 2014-04-02 13:24:23 +02:00
sd ssi: Convert legacy SSI_SLAVE -> DEVICE casts 2014-03-12 20:13:02 +01:00
sh4 cputlb: Change tlb_flush() argument to CPUState 2014-03-13 19:52:47 +01:00
sparc sun4m: Add Sun CG3 framebuffer initialisation function 2014-02-27 10:01:41 +00:00
sparc64 pc,pci,virtio fixes and cleanups 2013-09-03 12:31:07 -05:00
ssi ssi: Convert legacy SSI_BUS -> BUS casts 2014-03-12 20:13:02 +01:00
timer allwinner-a10-pit: implement prescaler and source selection 2014-04-17 21:34:06 +01:00
tpm aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
unicore32 console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
usb usb: mtp filesharing 2014-04-23 10:28:14 +02:00
virtio virtio: out-of-bounds buffer write on invalid state load 2014-05-05 22:15:02 +02:00
watchdog qemu-option: Remove qemu_opts_create_nofail 2014-01-06 15:02:30 -05:00
xen Call pci_piix3_xen_ide_unplug from unplug_disks 2014-02-20 17:28:08 +00:00
xtensa hw/xtensa: add support for ML605 and KC705 FPGA board 2014-02-24 04:47:01 +04:00
Makefile.objs hw/9pfs: Include virtio-9p-device.o in build 2014-03-04 09:20:49 +05:30