diff options
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch')
-rw-r--r-- | app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch | 27 |
1 files changed, 0 insertions, 27 deletions
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch deleted file mode 100644 index 56f7435df5b6..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Li Qiang <address@hidden> - -In Vmxnet3 device emulator while processing transmit(tx) queue, -when it reaches end of packet, it calls vmxnet3_complete_packet. -In that local 'txcq_descr' object is not initialised, which could -leak host memory bytes a guest. - -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/net/vmxnet3.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index 90f6943..92f6af9 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) - - VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); - -+ memset(&txcq_descr, 0, sizeof(txcq_descr)); - txcq_descr.txdIdx = tx_ridx; - txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); - --- -2.5.5 |