1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch
new file mode 100644
index 0000000000..ef70c16423
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch
@@ -0,0 +1,53 @@
+From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 22 Jul 2014 17:26:41 +0200
+Subject: [PATCH] vmstate_xhci_event: fix unterminated field list
+"vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live
+migration support"), and first released in v1.6.0. The field list in this
+VMSD is not terminated with the VMSTATE_END_OF_LIST() macro.
+During normal use (ie. migration), the issue is practically invisible,
+because the "vmstate_xhci_event" object (with the unterminated field list)
+is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full()
+returns true, for the "ev_buffer" test. Since that field_exists() check
+(apparently) almost always returns false, we almost never traverse
+"vmstate_xhci_event" during migration, which hides the bug.
+However, Amit's vmstate checker forces recursion into this VMSD as well,
+and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator
+check (field->name != NULL) in dump_vmstate_vmsd(). The result is
+undefined behavior, which in my case translates to infinite recursion
+(because the loop happens to overflow into "vmstate_xhci_intr", which then
+links back to "vmstate_xhci_event").
+Add the missing terminator.
+Fixes CVE-2014-5263.
+Upstream-Status: Backport
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ hw/usb/hcd-xhci.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 835f65e..745617e 100644
+--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
+@@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = {
+         VMSTATE_UINT32(flags,  XHCIEvent),
+         VMSTATE_UINT8(slotid,  XHCIEvent),
+         VMSTATE_UINT8(epid,    XHCIEvent),
+        VMSTATE_END_OF_LIST()
+     }
+ };
+ 
+-- 
+1.9.1

diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch new file mode 100644 index 0000000000..ef70c16423 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch
@@ -0,0 +1,53 @@
	1	From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001
	2	From: Laszlo Ersek <lersek@redhat.com>
	3	Date: Tue, 22 Jul 2014 17:26:41 +0200
	4	Subject: [PATCH] vmstate_xhci_event: fix unterminated field list
	5
	6	"vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live
	7	migration support"), and first released in v1.6.0. The field list in this
	8	VMSD is not terminated with the VMSTATE_END_OF_LIST() macro.
	9
	10	During normal use (ie. migration), the issue is practically invisible,
	11	because the "vmstate_xhci_event" object (with the unterminated field list)
	12	is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full()
	13	returns true, for the "ev_buffer" test. Since that field_exists() check
	14	(apparently) almost always returns false, we almost never traverse
	15	"vmstate_xhci_event" during migration, which hides the bug.
	16
	17	However, Amit's vmstate checker forces recursion into this VMSD as well,
	18	and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator
	19	check (field->name != NULL) in dump_vmstate_vmsd(). The result is
	20	undefined behavior, which in my case translates to infinite recursion
	21	(because the loop happens to overflow into "vmstate_xhci_intr", which then
	22	links back to "vmstate_xhci_event").
	23
	24	Add the missing terminator.
	25
	26	Fixes CVE-2014-5263.
	27	Upstream-Status: Backport
	28
	29	Signed-off-by: Laszlo Ersek <lersek@redhat.com>
	30	Reviewed-by: Amit Shah <amit.shah@redhat.com>
	31	Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
	32	Cc: qemu-stable@nongnu.org
	33	Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
	34	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	35	---
	36	hw/usb/hcd-xhci.c \| 1 +
	37	1 file changed, 1 insertion(+)
	38
	39	diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
	40	index 835f65e..745617e 100644
	41	--- a/hw/usb/hcd-xhci.c
	42	+++ b/hw/usb/hcd-xhci.c
	43	@@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = {
	44	VMSTATE_UINT32(flags, XHCIEvent),
	45	VMSTATE_UINT8(slotid, XHCIEvent),
	46	VMSTATE_UINT8(epid, XHCIEvent),
	47	+ VMSTATE_END_OF_LIST()
	48	}
	49	};
	50
	51	--
	52	1.9.1
	53