diff options
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-5856.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-5856.patch | 68 |
1 files changed, 0 insertions, 68 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-5856.patch b/gnu/packages/patches/qemu-CVE-2017-5856.patch deleted file mode 100644 index bee0824c0a..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5856.patch +++ /dev/null @@ -1,68 +0,0 @@ -http://git.qemu.org/?p=qemu.git;a=patch;h=765a707000e838c30b18d712fe6cb3dd8e0435f3 -this patch is from qemu-git. - - -From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Mon, 2 Jan 2017 11:03:33 +0100 -Subject: [PATCH] megasas: fix guest-triggered memory leak - -If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd -will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. -Avoid this by returning only the status from map_dcmd, and loading -cmd->iov_size in the caller. - -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/scsi/megasas.c | 11 ++++++----- - 1 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 67fc1e7..6233865 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) - trace_megasas_dcmd_invalid_sge(cmd->index, - cmd->frame->header.sge_count); - cmd->iov_size = 0; -- return -1; -+ return -EINVAL; - } - iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); - iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); - pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); - qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); - cmd->iov_size = iov_size; -- return cmd->iov_size; -+ return 0; - } - - static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) -@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { - - static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - { -- int opcode, len; -+ int opcode; - int retval = 0; -+ size_t len; - const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; - - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); -- len = megasas_map_dcmd(s, cmd); -- if (len < 0) { -+ if (megasas_map_dcmd(s, cmd) < 0) { - return MFI_STAT_MEMORY_NOT_AVAILABLE; - } - while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { - cmdptr++; - } -+ len = cmd->iov_size; - if (cmdptr->opcode == -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); - retval = megasas_dcmd_dummy(s, cmd); --- -1.7.0.4 - |