diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch new file mode 100644 index 0000000000..05cc3d9d13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Backport patch to fix CVE-2016-7908 from: | ||
4 | |||
5 | http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8c | ||
6 | |||
7 | CVE: CVE-2016-7908 | ||
8 | |||
9 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
10 | --- | ||
11 | From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 | ||
12 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Date: Thu, 22 Sep 2016 16:02:37 +0530 | ||
14 | Subject: [PATCH] net: mcf: limit buffer descriptor count | ||
15 | |||
16 | ColdFire Fast Ethernet Controller uses buffer descriptors to manage | ||
17 | data flow to/fro receive & transmit queues. While transmitting | ||
18 | packets, it could continue to read buffer descriptors if a buffer | ||
19 | descriptor has length of zero and has crafted values in bd.flags. | ||
20 | Set upper limit to number of buffer descriptors. | ||
21 | |||
22 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
23 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
24 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
25 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
26 | --- | ||
27 | hw/net/mcf_fec.c | 5 +++-- | ||
28 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
29 | |||
30 | diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c | ||
31 | index 0ee8ad9..d31fea1 100644 | ||
32 | --- a/hw/net/mcf_fec.c | ||
33 | +++ b/hw/net/mcf_fec.c | ||
34 | @@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) | ||
35 | #define DPRINTF(fmt, ...) do {} while(0) | ||
36 | #endif | ||
37 | |||
38 | +#define FEC_MAX_DESC 1024 | ||
39 | #define FEC_MAX_FRAME_SIZE 2032 | ||
40 | |||
41 | typedef struct { | ||
42 | @@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) | ||
43 | uint32_t addr; | ||
44 | mcf_fec_bd bd; | ||
45 | int frame_size; | ||
46 | - int len; | ||
47 | + int len, descnt = 0; | ||
48 | uint8_t frame[FEC_MAX_FRAME_SIZE]; | ||
49 | uint8_t *ptr; | ||
50 | |||
51 | @@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) | ||
52 | ptr = frame; | ||
53 | frame_size = 0; | ||
54 | addr = s->tx_descriptor; | ||
55 | - while (1) { | ||
56 | + while (descnt++ < FEC_MAX_DESC) { | ||
57 | mcf_fec_read_bd(&bd, addr); | ||
58 | DPRINTF("tx_bd %x flags %04x len %d data %08x\n", | ||
59 | addr, bd.flags, bd.length, bd.data); | ||
60 | -- | ||
61 | 2.9.3 | ||
62 | |||