diff options
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch')
-rw-r--r-- | app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch new file mode 100644 index 000000000000..917fa2f2b0f4 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch @@ -0,0 +1,58 @@ +From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001 +From: "Gabriel L. Somlo" <somlo@cmu.edu> +Date: Thu, 5 Nov 2015 09:32:50 -0500 +Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When calculating a pointer to the currently selected fw_cfg item, the +following is used: + + FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + +When s->cur_entry is FW_CFG_INVALID, we are calculating the address of +a non-existent element in s->entries[arch][...], which is undefined. + +This patch ensures the resulting entry pointer is set to NULL whenever +s->cur_entry is FW_CFG_INVALID. + +Reported-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Gabriel Somlo <somlo@cmu.edu> +Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu +Cc: Marc Marí <markmb@redhat.com> +Signed-off-by: Gabriel Somlo <somlo@cmu.edu> +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/nvram/fw_cfg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index c2d3a0a..046fa74 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) + static uint8_t fw_cfg_read(FWCfgState *s) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + uint8_t ret; + + if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) +@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + } + + arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + if (dma.control & FW_CFG_DMA_CTL_READ) { + read = 1; +-- +2.7.4 + |