From: Michael S. Tsirkin <mst@redhat.com>
Date: Thu, 3 Apr 2014 16:51:18 +0000 (+0300)
Subject: ahci: fix buffer overrun on invalid state load
X-Git-Tag: TizenStudio_2.0_p2.3.2~208^2~865^2~29
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5;p=sdk%2Femulator%2Fqemu.git

ahci: fix buffer overrun on invalid state load

CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
---

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 50327ff..e57c583 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
         VMSTATE_UINT32(control_regs.impl, AHCIState),
         VMSTATE_UINT32(control_regs.version, AHCIState),
         VMSTATE_UINT32(idp_index, AHCIState),
-        VMSTATE_INT32(ports, AHCIState),
+        VMSTATE_INT32_EQUAL(ports, AHCIState),
         VMSTATE_END_OF_LIST()
     },
 };