various fixes
[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch
blobd776e548417942edede4e73e3c9af8501817c589
1 From 3f8bf5846151f173361966cb4869ab5a1306ad37 Mon Sep 17 00:00:00 2001
2 From: Prasad J Pandit <pjp@fedoraproject.org>
3 Date: Wed, 27 Jul 2016 21:07:56 +0530
4 Subject: [PATCH] virtio: check vring descriptor buffer length
6 virtio back end uses set of buffers to facilitate I/O operations.
7 An infinite loop unfolds in virtqueue_pop() if a buffer was
8 of zero size. Add check to avoid it.
10 Reported-by: Li Qiang <liqiang6-s@360.cn>
11 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
12 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
13 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
14 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
15 ---
16 hw/virtio/virtio.c | 5 +++++
17 1 file changed, 5 insertions(+)
19 diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
20 index 30ede3d..8de896c 100644
21 --- a/hw/virtio/virtio.c
22 +++ b/hw/virtio/virtio.c
23 @@ -457,6 +457,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
24 unsigned num_sg = *p_num_sg;
25 assert(num_sg <= max_num_sg);
27 + if (!sz) {
28 + error_report("virtio: zero sized buffers are not allowed");
29 + exit(1);
30 + }
32 while (sz) {
33 hwaddr len = sz;
35 --
36 2.1.4