diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch new file mode 100644 index 0000000000..ef70c16423 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001 | ||
2 | From: Laszlo Ersek <lersek@redhat.com> | ||
3 | Date: Tue, 22 Jul 2014 17:26:41 +0200 | ||
4 | Subject: [PATCH] vmstate_xhci_event: fix unterminated field list | ||
5 | |||
6 | "vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live | ||
7 | migration support"), and first released in v1.6.0. The field list in this | ||
8 | VMSD is not terminated with the VMSTATE_END_OF_LIST() macro. | ||
9 | |||
10 | During normal use (ie. migration), the issue is practically invisible, | ||
11 | because the "vmstate_xhci_event" object (with the unterminated field list) | ||
12 | is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full() | ||
13 | returns true, for the "ev_buffer" test. Since that field_exists() check | ||
14 | (apparently) almost always returns false, we almost never traverse | ||
15 | "vmstate_xhci_event" during migration, which hides the bug. | ||
16 | |||
17 | However, Amit's vmstate checker forces recursion into this VMSD as well, | ||
18 | and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator | ||
19 | check (field->name != NULL) in dump_vmstate_vmsd(). The result is | ||
20 | undefined behavior, which in my case translates to infinite recursion | ||
21 | (because the loop happens to overflow into "vmstate_xhci_intr", which then | ||
22 | links back to "vmstate_xhci_event"). | ||
23 | |||
24 | Add the missing terminator. | ||
25 | |||
26 | Fixes CVE-2014-5263. | ||
27 | Upstream-Status: Backport | ||
28 | |||
29 | Signed-off-by: Laszlo Ersek <lersek@redhat.com> | ||
30 | Reviewed-by: Amit Shah <amit.shah@redhat.com> | ||
31 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
32 | Cc: qemu-stable@nongnu.org | ||
33 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
34 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
35 | --- | ||
36 | hw/usb/hcd-xhci.c | 1 + | ||
37 | 1 file changed, 1 insertion(+) | ||
38 | |||
39 | diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c | ||
40 | index 835f65e..745617e 100644 | ||
41 | --- a/hw/usb/hcd-xhci.c | ||
42 | +++ b/hw/usb/hcd-xhci.c | ||
43 | @@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = { | ||
44 | VMSTATE_UINT32(flags, XHCIEvent), | ||
45 | VMSTATE_UINT8(slotid, XHCIEvent), | ||
46 | VMSTATE_UINT8(epid, XHCIEvent), | ||
47 | + VMSTATE_END_OF_LIST() | ||
48 | } | ||
49 | }; | ||
50 | |||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||