File CVE-2013-4527-qemuu-hpet-buffer-overrun-on-invalid-state-load.patch of Package xen.7673

References: bsc#964746 CVE-2013-4527

Subject: hpet: fix buffer overrun on invalid state load
From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:23 2014 +0300
Date: Mon May 5 22:15:02 2014 +0200:
Git: 3f1c49e2136fa08ab1ef3183fd55def308829584

CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/timer/hpet.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/timer/hpet.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/timer/hpet.c
@@ -311,6 +311,7 @@ static const VMStateDescription vmstate_
         VMSTATE_UINT64(isr, HPETState),
         VMSTATE_UINT64(hpet_counter, HPETState),
         VMSTATE_UINT8_V(num_timers, HPETState, 2),
+        VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
         VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
                                     vmstate_hpet_timer, HPETTimer),
         VMSTATE_END_OF_LIST()