8292994238
logging upon guest changing callback method (XSA-169) 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch - bsc#959387 - VUL-0: CVE-2015-8568 CVE-2015-8567: xen: qemu: net: vmxnet3: host memory leakage CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch - bsc#957988 - VUL-0: CVE-2015-8550: xen: paravirtualized drivers incautious about shared memory contents (XSA-155) xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch xsa155-qemuu-qdisk-double-access.patch xsa155-qemut-qdisk-double-access.patch xsa155-qemuu-xenfb.patch xsa155-qemut-xenfb.patch - bsc#959006 - VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state results in DoS CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch - bsc#958918 - VUL-0: CVE-2015-7549: xen: qemu pci: null pointer dereference issue CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch - bsc#958493 - VUL-0: CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point exception CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch - bsc#958007 - VUL-0: CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X handling (XSA-164) xsa164.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=393
53 lines
1.9 KiB
Diff
53 lines
1.9 KiB
Diff
References: bsc#957988
|
|
|
|
From 27942b0cb2327e93deb12326bbe7b36c81f9fa7b Mon Sep 17 00:00:00 2001
|
|
From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
Date: Fri, 20 Nov 2015 10:56:00 -0500
|
|
Subject: [PATCH] blkif: Avoid double access to src->nr_segments
|
|
|
|
src is stored in shared memory and src->nr_segments is dereferenced
|
|
twice at the end of the function. If a compiler decides to compile this
|
|
into two separate memory accesses then the size limitation could be
|
|
bypassed.
|
|
|
|
Fix it by removing the double access to src->nr_segments.
|
|
|
|
This is part of XSA-155.
|
|
|
|
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
---
|
|
hw/xen_blkif.h | 12 ++++++++----
|
|
1 file changed, 8 insertions(+), 4 deletions(-)
|
|
|
|
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h
|
|
===================================================================
|
|
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h
|
|
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h
|
|
@@ -79,8 +79,10 @@ static inline void blkif_get_x86_32_req(
|
|
dst->handle = src->handle;
|
|
dst->id = src->id;
|
|
dst->sector_number = src->sector_number;
|
|
- if (n > src->nr_segments)
|
|
- n = src->nr_segments;
|
|
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
|
|
+ xen_mb();
|
|
+ if (n > dst->nr_segments)
|
|
+ n = dst->nr_segments;
|
|
for (i = 0; i < n; i++)
|
|
dst->seg[i] = src->seg[i];
|
|
}
|
|
@@ -94,8 +96,10 @@ static inline void blkif_get_x86_64_req(
|
|
dst->handle = src->handle;
|
|
dst->id = src->id;
|
|
dst->sector_number = src->sector_number;
|
|
- if (n > src->nr_segments)
|
|
- n = src->nr_segments;
|
|
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
|
|
+ xen_mb();
|
|
+ if (n > dst->nr_segments)
|
|
+ n = dst->nr_segments;
|
|
for (i = 0; i < n; i++)
|
|
dst->seg[i] = src->seg[i];
|
|
}
|