Overview

File CVE-2018-12617-qemuu-guest-agent-integer-overflow-causes-segmentation-fault.patch of Package xen.8005

While reading file content via 'guest-file-read' command,
'qmp_guest_file_read' routine allocates buffer of count+1
bytes. It could overflow for large values of 'count'.
Add check to avoid it.

Reported-by: Fakhri Zulkifli <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 qga/commands-posix.c | 2 +-
 qga/commands-win32.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/qga/commands-posix.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/qga/commands-posix.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/qga/commands-posix.c
@@ -440,7 +440,7 @@ struct GuestFileRead *qmp_guest_file_rea
 
     if (!has_count) {
         count = QGA_READ_COUNT_DEFAULT;
-    } else if (count < 0) {
+    } else if (count < 0 || count >= UINT32_MAX) {
         error_setg(err, "value '%" PRId64 "' is invalid for argument count",
                    count);
         return NULL;
openSUSE Build Service is sponsored by
Places