Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch')
-rw-r--r--app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
new file mode 100644
index 000000000000..917fa2f2b0f4
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
@@ -0,0 +1,58 @@
+From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001
+From: "Gabriel L. Somlo" <somlo@cmu.edu>
+Date: Thu, 5 Nov 2015 09:32:50 -0500
+Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When calculating a pointer to the currently selected fw_cfg item, the
+following is used:
+
+ FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+
+When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
+a non-existent element in s->entries[arch][...], which is undefined.
+
+This patch ensures the resulting entry pointer is set to NULL whenever
+s->cur_entry is FW_CFG_INVALID.
+
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
+Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu
+Cc: Marc Marí <markmb@redhat.com>
+Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/nvram/fw_cfg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
+index c2d3a0a..046fa74 100644
+--- a/hw/nvram/fw_cfg.c
++++ b/hw/nvram/fw_cfg.c
+@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
+ static uint8_t fw_cfg_read(FWCfgState *s)
+ {
+ int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+ uint8_t ret;
+
+ if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
+@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
+ }
+
+ arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++ e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+
+ if (dma.control & FW_CFG_DMA_CTL_READ) {
+ read = 1;
+--
+2.7.4
+