1 files changed, 41 insertions, 0 deletions

diff --git a/main/qemu/xsa155-qemu-xenfb.patch b/main/qemu/xsa155-qemu-xenfb.patch
new file mode 100644
index 0000000000..dfc871375b
--- /dev/null
+++ b/main/qemu/xsa155-qemu-xenfb.patch
@@ -0,0 +1,41 @@
+xenfb: avoid reading twice the same fields from the shared page
+
+Reading twice the same field could give the guest an attack of
+opportunity. In the case of event->type, gcc could compile the switch
+statement into a jump table, effectively ending up reading the type
+field multiple times.
+
+This is part of XSA-155.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+
+diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
+index 5e324ef..4e2a27a 100644
+--- a/hw/display/xenfb.c
++++ b/hw/display/xenfb.c
+@@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque)
+ 
+ static void xenfb_handle_events(struct XenFB *xenfb)
+ {
+-    uint32_t prod, cons;
++    uint32_t prod, cons, out_cons;
+     struct xenfb_page *page = xenfb->c.page;
+ 
+     prod = page->out_prod;
+-    if (prod == page->out_cons)
++    out_cons = page->out_cons;
++    if (prod == out_cons)
+ 	return;
+     xen_rmb();		/* ensure we see ring contents up to prod */
+-    for (cons = page->out_cons; cons != prod; cons++) {
++    for (cons = out_cons; cons != prod; cons++) {
+ 	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
++        uint8_t type = event->type;
+ 	int x, y, w, h;
+ 
+-	switch (event->type) {
++	switch (type) {
+ 	case XENFB_TYPE_UPDATE:
+ 	    if (xenfb->up_count == UP_QUEUE)
+ 		xenfb->up_fullscreen = 1;