pve-qemu-qoup/debian/patches/extra/0022-exec-use-qemu_ram_ptr_length-to-access-guest-ram.patch
Wolfgang Bumiller e74c0f316d add CVE fixes
CVE-2017-7539:
   qemu-nbd crashes due to undefined I/O coroutine
 CVE-2017-11434:
   slirp: out-of-bounds read while parsing dhcp options
 CVE-2017-11334:
   exec: oob access during dma operation
 CVE-2017-10806:
   usb-redirect: stack buffer overflow in debug logging
 CVE-2017-10664:
   qemu-nbd: server breaks with SIGPIPE upon client abort
 CVE-2017-9524:
   nbd: segmentation fault due to client non-negotiation
 CVE-2017-9503:
   scsi: null pointer dereference while processing megasas command
2017-08-07 10:32:32 +02:00

44 lines
1.5 KiB
Diff

From d587bf95f1099fd253e6a7b768bf73d4e25de07c Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Jul 2017 18:08:40 +0530
Subject: [PATCH 22/23] exec: use qemu_ram_ptr_length to access guest ram
When accessing guest's ram block during DMA operation, use
'qemu_ram_ptr_length' to get ram block pointer. It ensures
that DMA operation of given length is possible; And avoids
any OOB memory access situations.
Reported-by: Alex <broscutamaker@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170712123840.29328-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
exec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/exec.c b/exec.c
index c97ef4a8da..72d636a4fb 100644
--- a/exec.c
+++ b/exec.c
@@ -2765,7 +2765,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
}
} else {
/* RAM case */
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
memcpy(ptr, buf, l);
invalidate_and_set_dirty(mr, addr1, l);
}
@@ -2856,7 +2856,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
}
} else {
/* RAM case */
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
memcpy(buf, ptr, l);
}
--
2.11.0