diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2016-08-11 15:33:46 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-08-15 16:30:06 +0000 |
commit | c79838c3a14eed1cee24731f89d7b1171751d304 (patch) | |
tree | 486c75133ee1072075d9782672c09b39b9308013 /main/xen/xsa184-qemut-master.patch | |
parent | ee4ffbb28c8a78a28e0315d7050f8837fa316dc5 (diff) | |
download | aports-c79838c3a14eed1cee24731f89d7b1171751d304.tar.bz2 aports-c79838c3a14eed1cee24731f89d7b1171751d304.tar.xz |
main/xen: upgrade to 4.7.0 and add secfixes
Diffstat (limited to 'main/xen/xsa184-qemut-master.patch')
-rw-r--r-- | main/xen/xsa184-qemut-master.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/main/xen/xsa184-qemut-master.patch b/main/xen/xsa184-qemut-master.patch new file mode 100644 index 000000000..b376f33a5 --- /dev/null +++ b/main/xen/xsa184-qemut-master.patch @@ -0,0 +1,43 @@ +From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001 +From: P J P <ppandit@redhat.com> +Date: Tue, 26 Jul 2016 15:31:59 +0100 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is incorrect but +possible. Processing a request allocates a VirtQueueElement and +therefore causes unbounded memory allocation controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio.c b/hw/virtio.c +index c26feff..42897bf 100644 +--- a/tools/qemu-xen-traditional/hw/virtio.c ++++ b/tools/qemu-xen-traditional/hw/virtio.c +@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) + /* When we start there are none of either input nor output. */ + elem->out_num = elem->in_num = 0; + ++ if (vq->inuse >= vq->vring.num) { ++ fprintf(stderr, "Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + do { + struct iovec *sg; +-- +2.1.4 + |