diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-11334.patch | 52 | ||||
-rw-r--r-- | gnu/packages/virtualization.scm | 3 |
3 files changed, 55 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index e7395292f8..7d9b2f8d76 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -975,6 +975,7 @@ dist_patch_DATA = \ %D%/packages/patches/qemu-CVE-2017-8379.patch \ %D%/packages/patches/qemu-CVE-2017-8380.patch \ %D%/packages/patches/qemu-CVE-2017-9524.patch \ + %D%/packages/patches/qemu-CVE-2017-11334.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ %D%/packages/patches/quagga-reproducible-build.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-11334.patch b/gnu/packages/patches/qemu-CVE-2017-11334.patch new file mode 100644 index 0000000000..cb68c803aa --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-11334.patch @@ -0,0 +1,52 @@ +Fix CVE-2017-11334: + +https://bugzilla.redhat.com/show_bug.cgi?id=1471638 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11334 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 + +From 04bf2526ce87f21b32c9acba1c5518708c243ad0 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 12 Jul 2017 18:08:40 +0530 +Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram + +When accessing guest's ram block during DMA operation, use +'qemu_ram_ptr_length' to get ram block pointer. It ensures +that DMA operation of given length is possible; And avoids +any OOB memory access situations. + +Reported-by: Alex <broscutamaker@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20170712123840.29328-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec.c b/exec.c +index a083ff89ad..ad103ce483 100644 +--- a/exec.c ++++ b/exec.c +@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(ptr, buf, l); + invalidate_and_set_dirty(mr, addr1, l); + } +@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(buf, ptr, l); + } + +-- +2.13.3 + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index fd5cea5eb2..d999d16e37 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -81,7 +81,8 @@ "qemu-CVE-2017-8309.patch" "qemu-CVE-2017-8379.patch" "qemu-CVE-2017-8380.patch" - "qemu-CVE-2017-9524.patch")) + "qemu-CVE-2017-9524.patch" + "qemu-CVE-2017-11334.patch")) (sha256 (base32 "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h")))) |