diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch b/meta/recipes-devtools/qemu/qemu/0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch deleted file mode 100644 index d2bdf6b017..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | From 065061dca34fa5b91be6dce9a87a8755d8826c78 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 16 Nov 2017 13:21:55 +0530 | ||
4 | Subject: [PATCH] ps2: check PS2Queue pointers in post_load routine | ||
5 | |||
6 | During Qemu guest migration, a destination process invokes ps2 | ||
7 | post_load function. In that, if 'rptr' and 'count' values were | ||
8 | invalid, it could lead to OOB access or infinite loop issue. | ||
9 | Add check to avoid it. | ||
10 | |||
11 | Reported-by: Cyrille Chatras <cyrille.chatras@orange.com> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Message-id: 20171116075155.22378-1-ppandit@redhat.com | ||
14 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
15 | |||
16 | CVE: CVE-2017-16845 | ||
17 | Upstream-Status: Backport | ||
18 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
19 | --- | ||
20 | hw/input/ps2.c | 21 +++++++++------------ | ||
21 | 1 file changed, 9 insertions(+), 12 deletions(-) | ||
22 | |||
23 | diff --git a/hw/input/ps2.c b/hw/input/ps2.c | ||
24 | index f388a23..de171a2 100644 | ||
25 | --- a/hw/input/ps2.c | ||
26 | +++ b/hw/input/ps2.c | ||
27 | @@ -1225,24 +1225,21 @@ static void ps2_common_reset(PS2State *s) | ||
28 | static void ps2_common_post_load(PS2State *s) | ||
29 | { | ||
30 | PS2Queue *q = &s->queue; | ||
31 | - int size; | ||
32 | - int i; | ||
33 | - int tmp_data[PS2_QUEUE_SIZE]; | ||
34 | + uint8_t i, size; | ||
35 | + uint8_t tmp_data[PS2_QUEUE_SIZE]; | ||
36 | |||
37 | /* set the useful data buffer queue size, < PS2_QUEUE_SIZE */ | ||
38 | - size = q->count > PS2_QUEUE_SIZE ? 0 : q->count; | ||
39 | + size = (q->count < 0 || q->count > PS2_QUEUE_SIZE) ? 0 : q->count; | ||
40 | |||
41 | /* move the queue elements to the start of data array */ | ||
42 | - if (size > 0) { | ||
43 | - for (i = 0; i < size; i++) { | ||
44 | - /* move the queue elements to the temporary buffer */ | ||
45 | - tmp_data[i] = q->data[q->rptr]; | ||
46 | - if (++q->rptr == 256) { | ||
47 | - q->rptr = 0; | ||
48 | - } | ||
49 | + for (i = 0; i < size; i++) { | ||
50 | + if (q->rptr < 0 || q->rptr >= sizeof(q->data)) { | ||
51 | + q->rptr = 0; | ||
52 | } | ||
53 | - memcpy(q->data, tmp_data, size); | ||
54 | + tmp_data[i] = q->data[q->rptr++]; | ||
55 | } | ||
56 | + memcpy(q->data, tmp_data, size); | ||
57 | + | ||
58 | /* reset rptr/wptr/count */ | ||
59 | q->rptr = 0; | ||
60 | q->wptr = size; | ||