diff options
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-10911.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-10911.patch | 106 |
1 files changed, 0 insertions, 106 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch deleted file mode 100644 index 1dcb860a2d..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-10911.patch +++ /dev/null @@ -1,106 +0,0 @@ -Fix CVE-2017-10911: - -https://xenbits.xen.org/xsa/advisory-216.html -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911 -https://security-tracker.debian.org/tracker/CVE-2017-10911 - -Patch copied from Xen Security Advisory: - -https://xenbits.xen.org/xsa/xsa216-qemuu.patch - ---- a/hw/block/xen_blkif.h -+++ b/hw/block/xen_blkif.h -@@ -14,9 +14,6 @@ - struct blkif_common_request { - char dummy; - }; --struct blkif_common_response { -- char dummy; --}; - - /* i386 protocol version */ - #pragma pack(push, 4) -@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard { - blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */ - uint64_t nr_sectors; /* # of contiguous sectors to discard */ - }; --struct blkif_x86_32_response { -- uint64_t id; /* copied from request */ -- uint8_t operation; /* copied from request */ -- int16_t status; /* BLKIF_RSP_??? */ --}; - typedef struct blkif_x86_32_request blkif_x86_32_request_t; --typedef struct blkif_x86_32_response blkif_x86_32_response_t; - #pragma pack(pop) - - /* x86_64 protocol version */ -@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard { - blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */ - uint64_t nr_sectors; /* # of contiguous sectors to discard */ - }; --struct blkif_x86_64_response { -- uint64_t __attribute__((__aligned__(8))) id; -- uint8_t operation; /* copied from request */ -- int16_t status; /* BLKIF_RSP_??? */ --}; - typedef struct blkif_x86_64_request blkif_x86_64_request_t; --typedef struct blkif_x86_64_response blkif_x86_64_response_t; - - DEFINE_RING_TYPES(blkif_common, struct blkif_common_request, -- struct blkif_common_response); -+ struct blkif_response); - DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request, -- struct blkif_x86_32_response); -+ struct blkif_response QEMU_PACKED); - DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request, -- struct blkif_x86_64_response); -+ struct blkif_response); - - union blkif_back_rings { - blkif_back_ring_t native; ---- a/hw/block/xen_disk.c -+++ b/hw/block/xen_disk.c -@@ -769,31 +769,30 @@ static int blk_send_response_one(struct - struct XenBlkDev *blkdev = ioreq->blkdev; - int send_notify = 0; - int have_requests = 0; -- blkif_response_t resp; -- void *dst; -- -- resp.id = ioreq->req.id; -- resp.operation = ioreq->req.operation; -- resp.status = ioreq->status; -+ blkif_response_t *resp; - - /* Place on the response ring for the relevant domain. */ - switch (blkdev->protocol) { - case BLKIF_PROTOCOL_NATIVE: -- dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.native, -+ blkdev->rings.native.rsp_prod_pvt); - break; - case BLKIF_PROTOCOL_X86_32: -- dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part, -- blkdev->rings.x86_32_part.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part, -+ blkdev->rings.x86_32_part.rsp_prod_pvt); - break; - case BLKIF_PROTOCOL_X86_64: -- dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part, -- blkdev->rings.x86_64_part.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part, -+ blkdev->rings.x86_64_part.rsp_prod_pvt); - break; - default: -- dst = NULL; - return 0; - } -- memcpy(dst, &resp, sizeof(resp)); -+ -+ resp->id = ioreq->req.id; -+ resp->operation = ioreq->req.operation; -+ resp->status = ioreq->status; -+ - blkdev->rings.common.rsp_prod_pvt++; - - RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify); |