diff options
author | Mike Frysinger <vapier@gentoo.org> | 2016-03-23 01:22:02 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2016-03-23 01:22:02 -0400 |
commit | 346b8a658c0fb521e9a783699a678756765d8845 (patch) | |
tree | 2e3e3753a64f2e3467a7106d16abb8ce9e5c2db5 /app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch | |
parent | net-print/cups-filters: force newer poppler #546220 (diff) | |
download | gentoo-346b8a658c0fb521e9a783699a678756765d8845.tar.gz gentoo-346b8a658c0fb521e9a783699a678756765d8845.tar.bz2 gentoo-346b8a658c0fb521e9a783699a678756765d8845.zip |
app-emulation/qemu: backport various upstream fixes
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch')
-rw-r--r-- | app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch new file mode 100644 index 000000000000..917fa2f2b0f4 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch @@ -0,0 +1,58 @@ +From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001 +From: "Gabriel L. Somlo" <somlo@cmu.edu> +Date: Thu, 5 Nov 2015 09:32:50 -0500 +Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When calculating a pointer to the currently selected fw_cfg item, the +following is used: + + FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + +When s->cur_entry is FW_CFG_INVALID, we are calculating the address of +a non-existent element in s->entries[arch][...], which is undefined. + +This patch ensures the resulting entry pointer is set to NULL whenever +s->cur_entry is FW_CFG_INVALID. + +Reported-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Gabriel Somlo <somlo@cmu.edu> +Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu +Cc: Marc Marí <markmb@redhat.com> +Signed-off-by: Gabriel Somlo <somlo@cmu.edu> +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/nvram/fw_cfg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index c2d3a0a..046fa74 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) + static uint8_t fw_cfg_read(FWCfgState *s) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + uint8_t ret; + + if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) +@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + } + + arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + if (dma.control & FW_CFG_DMA_CTL_READ) { + read = 1; +-- +2.7.4 + |