pool/qemu
SHA256
5
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
af68a7132d
qemu/exec-set-map-length-to-zero-when-returni.patch
Bruce Rogers af68a7132d Accepting request 822154 from home:bfrogers:branches:Virtualization 
- Updating to Sphinx v3.1.2 in Factory is exposing an issue in
  qemu doc sources. Fix it
  docs-fix-trace-docs-build-with-sphinx-3..patch
- Fix DoS possibility in ati-vga emulation (CVE-2020-13800
  bsc#1172495)
  ati-vga-check-mm_index-before-recursive-.patch
- Fix DoS possibility in Network Block Device (nbd) support
  infrastructure (CVE-2020-10761 bsc#1172710)
  nbd-server-Avoid-long-error-message-asse.patch
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS
  8708EM2 emulation (CVE-2020-13659 bsc#1172386)
  exec-set-map-length-to-zero-when-returni.patch
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation
  (CVE-2020-13362 bsc#1172383)
  megasas-use-unsigned-type-for-reply_queu.patch
- Fix legacy IGD passthrough
  hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch
- The latest gcc10 available in Factory has the fix for the
  issue this patch was created to avoid, so drop it
  build-Work-around-gcc10-bug-by-not-using.patch
- Switch to upstream versions of some patches we carry
  add-enum-cast-to-avoid-gcc10-warning.patch
  -> golan-Add-explicit-type-casts-for-nodnic.patch
  Be-explicit-about-fcommon-compiler-direc.patch
  -> build-Be-explicit-about-fcommon-compiler.patch
  Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
  -> build-Do-not-apply-WORKAROUND_CFLAGS-for.patch
  Fix-s-directive-argument-is-null-error.patch
  -> build-Fix-s-directive-argument-is-null-e.patch
  Workaround-compilation-error-with-gcc-9..patch
  -> build-Workaround-compilation-error-with-.patch
  work-around-gcc10-problem-with-zero-leng.patch
  -> intel-Avoid-spurious-compiler-warning-on.patch
- Fix vgabios issue for cirrus graphics emulation, which
  effectively downgraded it to standard VGA behavior
  vga-fix-cirrus-bios.patch
- Fix OOB access possibility in ES1370 audio device emulation
  (CVE-2020-13361 bsc#1172384)
  es1370-check-total-frame-count-against-c.patch

OBS-URL: https://build.opensuse.org/request/show/822154
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=553
2020-07-22 04:19:22 +00:00

55 lines
2.3 KiB
Diff
Raw Blame History

From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 26 May 2020 16:47:43 +0530
Subject: exec: set map length to zero when returning NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 77f55eac6c433e23e82a1b88b2d74f385c4c7d82
References: bsc#1172386, CVE-2020-13659
When mapping physical memory into host's virtual address space,
'address_space_map' may return NULL if BounceBuffer is in_use.
Set and return '*plen = 0' to avoid later NULL pointer dereference.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
exec.c | 1 +
include/exec/memory.h | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/exec.c b/exec.c
index 2874bb508853d353bca3b9790e5d..2c419f327cf925ee55c46d111272 100644
--- a/exec.c
+++ b/exec.c
@@ -3538,6 +3538,7 @@ void *address_space_map(AddressSpace *as,
if (!memory_access_is_direct(mr, is_write)) {
if (atomic_xchg(&bounce.in_use, true)) {
+ *plen = 0;
return NULL;
}
/* Avoid unbounded allocations */
diff --git a/include/exec/memory.h b/include/exec/memory.h
index e000bd2f97b2fce76a41f9b5d9f3..8fa2d3cab2d51e5328e28151c65c 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -2303,7 +2303,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
/* address_space_map: map a physical memory region into a host virtual address
*
* May map a subset of the requested range, given by and returned in @plen.
- * May return %NULL if resources needed to perform the mapping are exhausted.
+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
+ * the mapping are exhausted.
* Use only for reads OR writes - not for read-modify-write operations.
* Use cpu_register_map_client() to know when retrying the map operation is
* likely to succeed.
Reference in New Issue View Git Blame Copy Permalink