various fixes
[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
blobbe0743de5112c6c76ee884af9f1ae689cee26973
1 From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001
2 From: Prasad J Pandit <pjp@fedoraproject.org>
3 Date: Wed, 12 Oct 2016 14:40:55 +0530
4 Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size
6 Rocker network switch emulator has test registers to help debug
7 DMA operations. While testing host DMA access, a buffer address
8 is written to register 'TEST_DMA_ADDR' and its size is written to
9 register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
10 test, if DMA buffer size was greater than 'INT_MAX', it leads to
11 an invalid buffer access. Limit the DMA buffer size to avoid it.
13 Reported-by: Huawei PSIRT <psirt@huawei.com>
14 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
15 ---
16 hw/net/rocker/rocker.c | 2 +-
17 1 file changed, 1 insertion(+), 1 deletion(-)
19 diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
20 index 30f2ce4..e9d215a 100644
21 --- a/hw/net/rocker/rocker.c
22 +++ b/hw/net/rocker/rocker.c
23 @@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
24 rocker_msix_irq(r, val);
25 break;
26 case ROCKER_TEST_DMA_SIZE:
27 - r->test_dma_size = val;
28 + r->test_dma_size = val & 0xFFFF;
29 break;
30 case ROCKER_TEST_DMA_ADDR + 4:
31 r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
32 --
33 2.1.4