File CVE-2013-4530-qemuu-pl022-fix-buffer-overun-on-invalid-state-load.patch of Package xen.6121

References: bsc#964950 CVE-2013-4530

Subject: pl022: fix buffer overun on invalid state load
From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:35 2014 +0300
Date: Mon May 5 22:15:02 2014 +0200:
Git: d8d0a0bc7e194300e53a346d25fe5724fd588387

CVE-2013-4530

pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.

Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/ssi/pl022.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/ssi/pl022.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/ssi/pl022.c
@@ -240,11 +240,25 @@ static const MemoryRegionOps pl022_ops =
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
+static int pl022_post_load(void *opaque, int version_id)
+{
+    PL022State *s = opaque;
+
+    if (s->tx_fifo_head < 0 ||
+        s->tx_fifo_head >= ARRAY_SIZE(s->tx_fifo) ||
+        s->rx_fifo_head < 0 ||
+        s->rx_fifo_head >= ARRAY_SIZE(s->rx_fifo)) {
+        return -1;
+    }
+    return 0;
+}
+
 static const VMStateDescription vmstate_pl022 = {
     .name = "pl022_ssp",
     .version_id = 1,
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
+    .post_load = pl022_post_load,
     .fields      = (VMStateField[]) {
         VMSTATE_UINT32(cr0, PL022State),
         VMSTATE_UINT32(cr1, PL022State),