diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch new file mode 100644 index 0000000000..d7ae8713ca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From ce317461573bac12b10d67699b4ddf1f97cf066c Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:28 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_unmap_sg() | ||
5 | |||
6 | Factor out sg unmapping logic. This will be reused by the patch that | ||
7 | can discard descriptor. | ||
8 | |||
9 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
10 | Cc: Andrew James <andrew.james@hpe.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | git.qemu.org/?p=qemu.git;a=commit;h=ce317461573bac12b10d67699b4ddf1f97cf066c | ||
18 | |||
19 | CVE: CVE-2015-7295 patch #1 | ||
20 | [Yocto # 9013] | ||
21 | |||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | hw/virtio/virtio.c | 14 ++++++++++---- | ||
26 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
32 | @@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq) | ||
33 | return vring_avail_idx(vq) == vq->last_avail_idx; | ||
34 | } | ||
35 | |||
36 | -void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | - unsigned int len, unsigned int idx) | ||
38 | +static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, | ||
39 | + unsigned int len) | ||
40 | { | ||
41 | unsigned int offset; | ||
42 | int i; | ||
43 | |||
44 | - trace_virtqueue_fill(vq, elem, len, idx); | ||
45 | - | ||
46 | offset = 0; | ||
47 | for (i = 0; i < elem->in_num; i++) { | ||
48 | size_t size = MIN(len - offset, elem->in_sg[i].iov_len); | ||
49 | @@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const | ||
50 | cpu_physical_memory_unmap(elem->out_sg[i].iov_base, | ||
51 | elem->out_sg[i].iov_len, | ||
52 | 0, elem->out_sg[i].iov_len); | ||
53 | +} | ||
54 | + | ||
55 | +void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
56 | + unsigned int len, unsigned int idx) | ||
57 | +{ | ||
58 | + trace_virtqueue_fill(vq, elem, len, idx); | ||
59 | + | ||
60 | + virtqueue_unmap_sg(vq, elem, len); | ||
61 | |||
62 | idx = (idx + vring_used_idx(vq)) % vq->vring.num; | ||
63 | |||