From: "Michael S. Tsirkin" <[email protected]> CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: Anthony Liguori <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Juan Quintela <[email protected]> (cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5) Signed-off-by: Michael Roth <[email protected]> --- hw/ide/ahci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c index fbea9e8..e321274 100644 --- a/hw/ide/ahci.c +++ b/hw/ide/ahci.c @@ -1290,7 +1290,7 @@ const VMStateDescription vmstate_ahci = { VMSTATE_UINT32(control_regs.impl, AHCIState), VMSTATE_UINT32(control_regs.version, AHCIState), VMSTATE_UINT32(idp_index, AHCIState), - VMSTATE_INT32(ports, AHCIState), + VMSTATE_INT32_EQUAL(ports, AHCIState), VMSTATE_END_OF_LIST() }, }; -- 1.9.1
