From 3a154eaea9ddb287034e5326c615df17c64b3228 Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Wed, 11 Jan 2012 17:22:32 +0100 Subject: [PATCH 7/7] ccid: Fix buffer overrun in handling of VSC_ATR message RH-Author: Markus Armbruster Message-id: <1326302552-27770-2-git-send-email-armbru@redhat.com> Patchwork-id: 36458 O-Subject: [RHEL-6.3 PATCH qemu-kvm 1/1] ccid: Fix buffer overrun in handling of VSC_ATR message Bugzilla: 752003 RH-Acked-by: Laszlo Ersek RH-Acked-by: Petr Matousek RH-Acked-by: Gerd Hoffmann RH-Acked-by: Alon Levy ATR size exceeding the limit is diagnosed, but then we merrily use it anyway, overrunning card->atr[]. The message is read from a character device. Obvious security implications unless the other end of the character device is trusted. Spotted by Coverity. CVE-2011-4111. Signed-off-by: Markus Armbruster Signed-off-by: Anthony Liguori (cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a) --- hw/ccid-card-passthru.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) Signed-off-by: Michal Novotny --- hw/ccid-card-passthru.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c index cad870e..d713026 100644 --- a/hw/ccid-card-passthru.c +++ b/hw/ccid-card-passthru.c @@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card, error_report("ATR size exceeds spec, ignoring"); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_GENERAL_ERROR); + break; } memcpy(card->atr, data, scr_msg_header->length); card->atr_length = scr_msg_header->length; -- 1.7.7.5