diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch | 54 |
1 files changed, 0 insertions, 54 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch deleted file mode 100644 index 56559c8388..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch +++ /dev/null | |||
| @@ -1,54 +0,0 @@ | |||
| 1 | CVE: CVE-2018-20125 | ||
| 2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce] | ||
| 3 | |||
| 4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
| 5 | |||
| 6 | From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001 | ||
| 7 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 8 | Date: Thu, 13 Dec 2018 01:00:36 +0530 | ||
| 9 | Subject: [PATCH] pvrdma: check number of pages when creating rings | ||
| 10 | |||
| 11 | When creating CQ/QP rings, an object can have up to | ||
| 12 | PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter | ||
| 13 | to avoid excessive memory allocation or a null dereference. | ||
| 14 | |||
| 15 | Reported-by: Li Qiang <liq3ea@163.com> | ||
| 16 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 17 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
| 18 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
| 19 | --- | ||
| 20 | hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++ | ||
| 21 | 1 file changed, 11 insertions(+) | ||
| 22 | |||
| 23 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
| 24 | index 3b94545761..f236ac4795 100644 | ||
| 25 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
| 26 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
| 27 | @@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring, | ||
| 28 | int rc = -EINVAL; | ||
| 29 | char ring_name[MAX_RING_NAME_SZ]; | ||
| 30 | |||
| 31 | + if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { | ||
| 32 | + pr_dbg("invalid nchunks: %d\n", nchunks); | ||
| 33 | + return rc; | ||
| 34 | + } | ||
| 35 | + | ||
| 36 | pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); | ||
| 37 | dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); | ||
| 38 | if (!dir) { | ||
| 39 | @@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma, | ||
| 40 | char ring_name[MAX_RING_NAME_SZ]; | ||
| 41 | uint32_t wqe_sz; | ||
| 42 | |||
| 43 | + if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES | ||
| 44 | + || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { | ||
| 45 | + pr_dbg("invalid pages: %d, %d\n", spages, rpages); | ||
| 46 | + return rc; | ||
| 47 | + } | ||
| 48 | + | ||
| 49 | pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); | ||
| 50 | dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); | ||
| 51 | if (!dir) { | ||
| 52 | -- | ||
| 53 | 2.20.1 | ||
| 54 | |||