)]}'
{
  "commit": "edc243851279e3393000b28b6b69454cae1190ef",
  "tree": "1adfa99b1b7df53c830985e6020c573f0437510f",
  "parents": [
    "21e2db72601c48fa593ef7187faf17f324d925c5"
  ],
  "author": {
    "name": "Michael S. Tsirkin",
    "email": "mst@redhat.com",
    "time": "Fri Apr 11 15:18:08 2014 +0300"
  },
  "committer": {
    "name": "Peter Maydell",
    "email": "peter.maydell@linaro.org",
    "time": "Fri Apr 11 16:02:23 2014 +0100"
  },
  "message": "virtio-net: fix guest-triggerable buffer overrun\n\nWhen VM guest programs multicast addresses for\na virtio net card, it supplies a 32 bit\nentries counter for the number of addresses.\nThese addresses are read into tail portion of\na fixed macs array which has size MAC_TABLE_ENTRIES,\nat offset equal to in_use.\n\nTo avoid overflow of this array by guest, qemu attempts\nto test the size as follows:\n-    if (in_use + mac_data.entries \u003c\u003d MAC_TABLE_ENTRIES) {\n\nhowever, as mac_data.entries is uint32_t, this sum\ncan overflow, e.g. if in_use is 1 and mac_data.entries\nis 0xffffffff then in_use + mac_data.entries will be 0.\n\nQemu will then read guest supplied buffer into this\nmemory, overflowing buffer on heap.\n\nCVE-2014-0150\n\nCc: qemu-stable@nongnu.org\nSigned-off-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nMessage-id: 1397218574-25058-1-git-send-email-mst@redhat.com\nReviewed-by: Michael Tokarev \u003cmjt@tls.msk.ru\u003e\nSigned-off-by: Peter Maydell \u003cpeter.maydell@linaro.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "439477b954ea25f428841b2881842c067f316de7",
      "old_mode": 33188,
      "old_path": "hw/net/virtio-net.c",
      "new_id": "33bd233a2dbc323fbdef1491429bfd313a4887f0",
      "new_mode": 33188,
      "new_path": "hw/net/virtio-net.c"
    }
  ]
}