On Fri, Apr 04, 2014 at 06:04:50PM +0300, Michael S. Tsirkin wrote:
> On Fri, Apr 04, 2014 at 05:47:39PM +0300, Michael S. Tsirkin wrote:
> > On Fri, Apr 04, 2014 at 11:51:52AM +0200, Juan Quintela wrote:
> > > "Michael S. Tsirkin" wrote:
> > > > CVE-2013-4527 hw/timer/hpet.c buffer overrun
> > >
On Fri, Apr 04, 2014 at 05:47:39PM +0300, Michael S. Tsirkin wrote:
> On Fri, Apr 04, 2014 at 11:51:52AM +0200, Juan Quintela wrote:
> > "Michael S. Tsirkin" wrote:
> > > CVE-2013-4527 hw/timer/hpet.c buffer overrun
> > >
> > > hpet is a VARRAY with a uint8 size but static array of 32
> > >
> > >
On Fri, Apr 04, 2014 at 11:51:52AM +0200, Juan Quintela wrote:
> "Michael S. Tsirkin" wrote:
> > CVE-2013-4527 hw/timer/hpet.c buffer overrun
> >
> > hpet is a VARRAY with a uint8 size but static array of 32
> >
> > To fix, make sure num_timers is valid using VMSTATE_VALID hook.
> >
> > Reported-b
"Michael S. Tsirkin" wrote:
> CVE-2013-4527 hw/timer/hpet.c buffer overrun
>
> hpet is a VARRAY with a uint8 size but static array of 32
>
> To fix, make sure num_timers is valid using VMSTATE_VALID hook.
>
> Reported-by: Anthony Liguori
> Signed-off-by: Michael S. Tsirkin
> Reviewed-by: Dr. Dav
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori
Signed-off-by: Michael S. Tsirkin
Reviewed-by: Dr. David Alan Gilbert
---
hw/timer/hpet.c | 13 +
