19 changed files with 637 additions and 6 deletions
@ -0,0 +1,34 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
Vmware Paravirtual SCSI emulator while processing IO requests |
|||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr' |
|||
always returned positive value. Limit IO loop to the ring size. |
|||
|
|||
Cc: address@hidden |
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
Message-Id: <address@hidden> |
|||
Signed-off-by: Paolo Bonzini <address@hidden> |
|||
---
|
|||
hw/scsi/vmw_pvscsi.c | 5 ++++- |
|||
1 file changed, 4 insertions(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
|||
index babac5a..a5ce7de 100644
|
|||
--- a/hw/scsi/vmw_pvscsi.c
|
|||
+++ b/hw/scsi/vmw_pvscsi.c
|
|||
@@ -247,8 +247,11 @@ static hwaddr
|
|||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) |
|||
{ |
|||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); |
|||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
|||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
|||
|
|||
- if (ready_ptr != mgr->consumed_ptr) {
|
|||
+ if (ready_ptr != mgr->consumed_ptr
|
|||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
|||
uint32_t next_ready_ptr = |
|||
mgr->consumed_ptr++ & mgr->txr_len_mask; |
|||
uint32_t next_ready_page = |
|||
--
|
|||
1.8.3.1 |
|||
@ -0,0 +1,38 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
virtio back end uses set of buffers to facilitate I/O operations. |
|||
If its size is too large, 'cpu_physical_memory_map' could return |
|||
a null address. This would result in a null dereference |
|||
while un-mapping descriptors. Add check to avoid it. |
|||
|
|||
Reported-by: Qinghao Tang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/virtio/virtio.c | 10 ++++++---- |
|||
1 file changed, 6 insertions(+), 4 deletions(-) |
|||
|
|||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
|||
index 15ee3a7..0a4c5b6 100644
|
|||
--- a/hw/virtio/virtio.c
|
|||
+++ b/hw/virtio/virtio.c
|
|||
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
|||
} |
|||
|
|||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); |
|||
- iov[num_sg].iov_len = len;
|
|||
- addr[num_sg] = pa;
|
|||
+ if (iov[num_sg].iov_base) {
|
|||
+ iov[num_sg].iov_len = len;
|
|||
+ addr[num_sg] = pa;
|
|||
|
|||
+ pa += len;
|
|||
+ num_sg++;
|
|||
+ }
|
|||
sz -= len; |
|||
- pa += len;
|
|||
- num_sg++;
|
|||
} |
|||
*p_num_sg = num_sg; |
|||
} |
|||
--
|
|||
2.5.5 |
|||
@ -0,0 +1,31 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
When processing IO request in mptsas, it uses g_new to allocate |
|||
a 'req' object. If an error occurs before 'req->sreq' is |
|||
allocated, It could lead to an OOB write in mptsas_free_request |
|||
function. Use g_new0 to avoid it. |
|||
|
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
Message-Id: <address@hidden> |
|||
Cc: address@hidden |
|||
Signed-off-by: Paolo Bonzini <address@hidden> |
|||
---
|
|||
hw/scsi/mptsas.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
|||
index 0e0a22f..eaae1bb 100644
|
|||
--- a/hw/scsi/mptsas.c
|
|||
+++ b/hw/scsi/mptsas.c
|
|||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
|||
goto bad; |
|||
} |
|||
|
|||
- req = g_new(MPTSASRequest, 1);
|
|||
+ req = g_new0(MPTSASRequest, 1);
|
|||
QTAILQ_INSERT_TAIL(&s->pending, req, next); |
|||
req->scsi_io = *scsi_io; |
|||
req->dev = s; |
|||
--
|
|||
1.8.3.1 |
|||
@ -0,0 +1,26 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
If the xhci uses msix, it doesn't free the corresponding |
|||
memory, thus leading a memory leak. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/usb/hcd-xhci.c | 3 +-- |
|||
1 file changed, 1 insertion(+), 2 deletions(-) |
|||
|
|||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
|||
index 188f954..281a2a5 100644
|
|||
--- a/hw/usb/hcd-xhci.c
|
|||
+++ b/hw/usb/hcd-xhci.c
|
|||
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
|||
/* destroy msix memory region */ |
|||
if (dev->msix_table && dev->msix_pba |
|||
&& dev->msix_entry_used) { |
|||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
|||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
|||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
|||
} |
|||
|
|||
usb_bus_release(&xhci->bus); |
|||
--
|
|||
1.8.3.1 |
|||
@ -0,0 +1,45 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
i.MX Fast Ethernet Controller uses buffer descriptors to manage |
|||
data flow to/fro receive & transmit queues. While transmitting |
|||
packets, it could continue to read buffer descriptors if a buffer |
|||
descriptor has length of zero and has crafted values in bd.flags. |
|||
Set an upper limit to number of buffer descriptors. |
|||
|
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/imx_fec.c | 6 ++++-- |
|||
1 file changed, 4 insertions(+), 2 deletions(-) |
|||
|
|||
Update per |
|||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html |
|||
|
|||
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
|||
index 1c415ab..1d74827 100644
|
|||
--- a/hw/net/imx_fec.c
|
|||
+++ b/hw/net/imx_fec.c
|
|||
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
|
|||
#define PHY_INT_PARFAULT (1 << 2) |
|||
#define PHY_INT_AUTONEG_PAGE (1 << 1) |
|||
|
|||
+#define IMX_MAX_DESC 1024
|
|||
+
|
|||
static void imx_eth_update(IMXFECState *s); |
|||
|
|||
/* |
|||
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
|||
|
|||
static void imx_fec_do_tx(IMXFECState *s) |
|||
{ |
|||
- int frame_size = 0;
|
|||
+ int frame_size = 0, descnt = 0;
|
|||
uint8_t frame[ENET_MAX_FRAME_SIZE]; |
|||
uint8_t *ptr = frame; |
|||
uint32_t addr = s->tx_descriptor; |
|||
|
|||
- while (1) {
|
|||
+ while (descnt++ < IMX_MAX_DESC) {
|
|||
IMXFECBufDesc bd; |
|||
int len; |
|||
|
|||
@ -0,0 +1,52 @@ |
|||
From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 |
|||
From: Prasad J Pandit <pjp@fedoraproject.org> |
|||
Date: Thu, 22 Sep 2016 16:02:37 +0530 |
|||
Subject: [PATCH] net: mcf: limit buffer descriptor count |
|||
|
|||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage |
|||
data flow to/fro receive & transmit queues. While transmitting |
|||
packets, it could continue to read buffer descriptors if a buffer |
|||
descriptor has length of zero and has crafted values in bd.flags. |
|||
Set upper limit to number of buffer descriptors. |
|||
|
|||
Reported-by: Li Qiang <liqiang6-s@360.cn> |
|||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
|||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> |
|||
Signed-off-by: Jason Wang <jasowang@redhat.com> |
|||
---
|
|||
hw/net/mcf_fec.c | 5 +++-- |
|||
1 files changed, 3 insertions(+), 2 deletions(-) |
|||
|
|||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
|||
index 0ee8ad9..d31fea1 100644
|
|||
--- a/hw/net/mcf_fec.c
|
|||
+++ b/hw/net/mcf_fec.c
|
|||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
|||
#define DPRINTF(fmt, ...) do {} while(0) |
|||
#endif |
|||
|
|||
+#define FEC_MAX_DESC 1024
|
|||
#define FEC_MAX_FRAME_SIZE 2032 |
|||
|
|||
typedef struct { |
|||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
|||
uint32_t addr; |
|||
mcf_fec_bd bd; |
|||
int frame_size; |
|||
- int len;
|
|||
+ int len, descnt = 0;
|
|||
uint8_t frame[FEC_MAX_FRAME_SIZE]; |
|||
uint8_t *ptr; |
|||
|
|||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
|||
ptr = frame; |
|||
frame_size = 0; |
|||
addr = s->tx_descriptor; |
|||
- while (1) {
|
|||
+ while (descnt++ < FEC_MAX_DESC) {
|
|||
mcf_fec_read_bd(&bd, addr); |
|||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n", |
|||
addr, bd.flags, bd.length, bd.data); |
|||
--
|
|||
1.7.0.4 |
|||
|
|||
@ -0,0 +1,32 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
The AMD PC-Net II emulator has set of control and status(CSR) |
|||
registers. Of these, CSR76 and CSR78 hold receive and transmit |
|||
descriptor ring length respectively. This ring length could range |
|||
from 1 to 65535. Setting ring length to zero leads to an infinite |
|||
loop in pcnet_rdra_addr. Add check to avoid it. |
|||
|
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/pcnet.c | 3 +++ |
|||
1 file changed, 3 insertions(+) |
|||
|
|||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
|||
index 198a01f..3078de8 100644
|
|||
--- a/hw/net/pcnet.c
|
|||
+++ b/hw/net/pcnet.c
|
|||
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
|||
case 47: /* POLLINT */ |
|||
case 72: |
|||
case 74: |
|||
+ break;
|
|||
case 76: /* RCVRL */ |
|||
case 78: /* XMTRL */ |
|||
+ val = (val > 0) ? val : 512;
|
|||
+ break;
|
|||
case 112: |
|||
if (CSR_STOP(s) || CSR_SPND(s)) |
|||
break; |
|||
--
|
|||
2.5.5 |
|||
@ -0,0 +1,25 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
In virtio gpu resource create dispatch, if the pixman format is zero |
|||
it doesn't free the resource object allocated previously. Thus leading |
|||
a host memory leak issue. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/display/virtio-gpu.c | 1 + |
|||
1 file changed, 1 insertion(+) |
|||
|
|||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
|||
index 7fe6ed8..5b6d17b 100644
|
|||
--- a/hw/display/virtio-gpu.c
|
|||
+++ b/hw/display/virtio-gpu.c
|
|||
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
|||
qemu_log_mask(LOG_GUEST_ERROR, |
|||
"%s: host couldn't handle guest format %d\n", |
|||
__func__, c2d.format); |
|||
+ g_free(res);
|
|||
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; |
|||
return; |
|||
} |
|||
--
|
|||
1.8.3.1 |
|||
@ -0,0 +1,26 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
While processing isochronous transfer descriptors(iTD), if the page |
|||
select(PG) field value is out of bands it will return. In this |
|||
situation the ehci's sg list doesn't be freed thus leading a memory |
|||
leak issue. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/usb/hcd-ehci.c | 1 + |
|||
1 file changed, 1 insertion(+) |
|||
|
|||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
|||
index b093db7..f4ece9a 100644
|
|||
--- a/hw/usb/hcd-ehci.c
|
|||
+++ b/hw/usb/hcd-ehci.c
|
|||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
|||
if (off + len > 4096) { |
|||
/* transfer crosses page border */ |
|||
if (pg == 6) { |
|||
+ qemu_sglist_destroy(&ehci->isgl);
|
|||
return -1; /* avoid page pg + 1 */ |
|||
} |
|||
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); |
|||
--
|
|||
1.8.3.1 |
|||
@ -0,0 +1,61 @@ |
|||
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001 |
|||
From: Gerd Hoffmann <address@hidden> |
|||
Date: Fri, 7 Oct 2016 10:15:29 +0200 |
|||
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process |
|||
|
|||
Signed-off-by: Gerd Hoffmann <address@hidden> |
|||
---
|
|||
hw/usb/hcd-xhci.c | 10 ++++++++++ |
|||
1 file changed, 10 insertions(+) |
|||
|
|||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
|||
index 726435c..ee4fa48 100644
|
|||
--- a/hw/usb/hcd-xhci.c
|
|||
+++ b/hw/usb/hcd-xhci.c
|
|||
@@ -54,6 +54,8 @@
|
|||
* to the specs when it gets them */ |
|||
#define ER_FULL_HACK |
|||
|
|||
+#define TRB_LINK_LIMIT 4
|
|||
+
|
|||
#define LEN_CAP 0x40 |
|||
#define LEN_OPER (0x400 + 0x10 * MAXPORTS) |
|||
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) |
|||
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
|||
dma_addr_t *addr) |
|||
{ |
|||
PCIDevice *pci_dev = PCI_DEVICE(xhci); |
|||
+ uint32_t link_cnt = 0;
|
|||
|
|||
while (1) { |
|||
TRBType type; |
|||
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
|||
ring->dequeue += TRB_SIZE; |
|||
return type; |
|||
} else { |
|||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
|||
+ return 0;
|
|||
+ }
|
|||
ring->dequeue = xhci_mask64(trb->parameter); |
|||
if (trb->control & TRB_LK_TC) { |
|||
ring->ccs = !ring->ccs; |
|||
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
|||
bool ccs = ring->ccs; |
|||
/* hack to bundle together the two/three TDs that make a setup transfer */ |
|||
bool control_td_set = 0; |
|||
+ uint32_t link_cnt = 0;
|
|||
|
|||
while (1) { |
|||
TRBType type; |
|||
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
|||
type = TRB_TYPE(trb); |
|||
|
|||
if (type == TR_LINK) { |
|||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
|||
+ return -length;
|
|||
+ }
|
|||
dequeue = xhci_mask64(trb.parameter); |
|||
if (trb.control & TRB_LK_TC) { |
|||
ccs = !ccs; |
|||
--
|
|||
1.8.3.1 |
|||
@ -0,0 +1,34 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
In 9pfs read dispatch function, it doesn't free two QEMUIOVector |
|||
object thus causing potential memory leak. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/9pfs/9p.c | 5 +++-- |
|||
1 file changed, 3 insertions(+), 2 deletions(-) |
|||
|
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index 119ee58..543a791 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
|
|||
if (len < 0) { |
|||
/* IO error return the error */ |
|||
err = len; |
|||
- goto out;
|
|||
+ goto out_free_iovec;
|
|||
} |
|||
} while (count < max_count && len > 0); |
|||
err = pdu_marshal(pdu, offset, "d", count); |
|||
if (err < 0) { |
|||
- goto out;
|
|||
+ goto out_free_iovec;
|
|||
} |
|||
err += offset + count; |
|||
+out_free_iovec:
|
|||
qemu_iovec_destroy(&qiov); |
|||
qemu_iovec_destroy(&qiov_full); |
|||
} else if (fidp->fid_type == P9_FID_XATTR) { |
|||
--
|
|||
1.8.3.1 |
|||
@ -0,0 +1,58 @@ |
|||
From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001 |
|||
From: Li Qiang <liqiang6-s@360.cn> |
|||
Date: Mon, 17 Oct 2016 14:13:58 +0200 |
|||
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings |
|||
|
|||
If a guest sends an empty string paramater to any 9P operation, the current |
|||
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. |
|||
|
|||
This is unfortunate because it can cause NULL pointer dereference to happen |
|||
at various locations in the 9pfs code. And we don't want to check str->data |
|||
everywhere we pass it to strcmp() or any other function which expects a |
|||
dereferenceable pointer. |
|||
|
|||
This patch enforces the allocation of genuine C empty strings instead, so |
|||
callers don't have to bother. |
|||
|
|||
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if |
|||
the returned string is empty. It now uses v9fs_string_size() since |
|||
name.data cannot be NULL anymore. |
|||
|
|||
Signed-off-by: Li Qiang <liqiang6-s@360.cn> |
|||
[groug, rewritten title and changelog, |
|||
fix empty string check in v9fs_xattrwalk()] |
|||
Signed-off-by: Greg Kurz <groug@kaod.org> |
|||
---
|
|||
fsdev/9p-iov-marshal.c | 2 +- |
|||
hw/9pfs/9p.c | 2 +- |
|||
2 files changed, 2 insertions(+), 2 deletions(-) |
|||
|
|||
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
|
|||
index 663cad5..1d16f8d 100644
|
|||
--- a/fsdev/9p-iov-marshal.c
|
|||
+++ b/fsdev/9p-iov-marshal.c
|
|||
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
|
|||
str->data = g_malloc(str->size + 1); |
|||
copied = v9fs_unpack(str->data, out_sg, out_num, offset, |
|||
str->size); |
|||
- if (copied > 0) {
|
|||
+ if (copied >= 0) {
|
|||
str->data[str->size] = 0; |
|||
} else { |
|||
v9fs_string_free(str); |
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index 119ee58..39a7e1d 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
|
|||
goto out; |
|||
} |
|||
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); |
|||
- if (name.data == NULL) {
|
|||
+ if (!v9fs_string_size(&name)) {
|
|||
/* |
|||
* listxattr request. Get the size first |
|||
*/ |
|||
--
|
|||
2.7.3 |
|||
|
|||
@ -0,0 +1,30 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
Rocker network switch emulator has test registers to help debug |
|||
DMA operations. While testing host DMA access, a buffer address |
|||
is written to register 'TEST_DMA_ADDR' and its size is written to |
|||
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT |
|||
test, if DMA buffer size was greater than 'INT_MAX', it leads to |
|||
an invalid buffer access. Limit the DMA buffer size to avoid it. |
|||
|
|||
Reported-by: Huawei PSIRT <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/rocker/rocker.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
|||
index 30f2ce4..e9d215a 100644
|
|||
--- a/hw/net/rocker/rocker.c
|
|||
+++ b/hw/net/rocker/rocker.c
|
|||
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
|||
rocker_msix_irq(r, val); |
|||
break; |
|||
case ROCKER_TEST_DMA_SIZE: |
|||
- r->test_dma_size = val;
|
|||
+ r->test_dma_size = val & 0xFFFF;
|
|||
break; |
|||
case ROCKER_TEST_DMA_ADDR + 4: |
|||
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32; |
|||
--
|
|||
2.5.5 |
|||
@ -0,0 +1,29 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
The JAZZ RC4030 chipset emulator has a periodic timer and |
|||
associated interval reload register. The reload value is used |
|||
as divider when computing timer's next tick value. If reload |
|||
value is large, it could lead to divide by zero error. Limit |
|||
the interval reload value to avoid it. |
|||
|
|||
Reported-by: Huawei PSIRT <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/dma/rc4030.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
|
|||
index 2f2576f..c1b4997 100644
|
|||
--- a/hw/dma/rc4030.c
|
|||
+++ b/hw/dma/rc4030.c
|
|||
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
|
|||
break; |
|||
/* Interval timer reload */ |
|||
case 0x0228: |
|||
- s->itr = val;
|
|||
+ s->itr = val & 0x01FF;
|
|||
qemu_irq_lower(s->timer_irq); |
|||
set_next_tick(s); |
|||
break; |
|||
--
|
|||
2.5.5 |
|||
@ -0,0 +1,34 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
16550A UART device uses an oscillator to generate frequencies |
|||
(baud base), which decide communication speed. This speed could |
|||
be changed by dividing it by a divider. If the divider is |
|||
greater than the baud base, speed is set to zero, leading to a |
|||
divide by zero error. Add check to avoid it. |
|||
|
|||
Reported-by: Huawei PSIRT <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/char/serial.c | 3 ++- |
|||
1 file changed, 2 insertions(+), 1 deletion(-) |
|||
|
|||
Update per |
|||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html |
|||
|
|||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
|||
index 3442f47..eec72b7 100644
|
|||
--- a/hw/char/serial.c
|
|||
+++ b/hw/char/serial.c
|
|||
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
|
|||
int speed, parity, data_bits, stop_bits, frame_size; |
|||
QEMUSerialSetParams ssp; |
|||
|
|||
- if (s->divider == 0)
|
|||
+ if (s->divider == 0 || s->divider > s->baudbase) {
|
|||
return; |
|||
+ }
|
|||
|
|||
/* Start bit. */ |
|||
frame_size = 1; |
|||
--
|
|||
2.5.5 |
|||
@ -0,0 +1,31 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
Intel HDA emulator uses stream of buffers during DMA data |
|||
transfers. Each entry has buffer length and buffer pointer |
|||
position, which are used to derive bytes to 'copy'. If this |
|||
length and buffer pointer were to be same, 'copy' could be |
|||
set to zero(0), leading to an infinite loop. Add check to |
|||
avoid it. |
|||
|
|||
Reported-by: Huawei PSIRT <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/audio/intel-hda.c | 3 ++- |
|||
1 file changed, 2 insertions(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
|||
index cd95340..537face 100644
|
|||
--- a/hw/audio/intel-hda.c
|
|||
+++ b/hw/audio/intel-hda.c
|
|||
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
|||
} |
|||
|
|||
left = len; |
|||
- while (left > 0) {
|
|||
+ s = st->bentries;
|
|||
+ while (left > 0 && s-- > 0) {
|
|||
copy = left; |
|||
if (copy > st->bsize - st->lpib) |
|||
copy = st->bsize - st->lpib; |
|||
--
|
|||
2.7.4 |
|||
@ -0,0 +1,29 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
RTL8139 ethernet controller in C+ mode supports multiple |
|||
descriptor rings, each with maximum of 64 descriptors. While |
|||
processing transmit descriptor ring in 'rtl8139_cplus_transmit', |
|||
it does not limit the descriptor count and runs forever. Add |
|||
check to avoid it. |
|||
|
|||
Reported-by: Andrew Henderson <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/rtl8139.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|||
index 3345bc6..f05e59c 100644
|
|||
--- a/hw/net/rtl8139.c
|
|||
+++ b/hw/net/rtl8139.c
|
|||
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
|
|||
{ |
|||
int txcount = 0; |
|||
|
|||
- while (rtl8139_cplus_transmit_one(s))
|
|||
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
|
|||
{ |
|||
++txcount; |
|||
} |
|||
--
|
|||
2.7.4 |
|||
Loading…
Reference in new issue