gentoo/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch

39 lines
1.1 KiB
Diff
Raw Normal View History

2016-10-27 17:01:55 +02:00
From: Prasad J Pandit <address@hidden>
virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference
while un-mapping descriptors. Add check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/virtio/virtio.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 15ee3a7..0a4c5b6 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
}
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
- iov[num_sg].iov_len = len;
- addr[num_sg] = pa;
+ if (iov[num_sg].iov_base) {
+ iov[num_sg].iov_len = len;
+ addr[num_sg] = pa;
+ pa += len;
+ num_sg++;
+ }
sz -= len;
- pa += len;
- num_sg++;
}
*p_num_sg = num_sg;
}
--
2.5.5