SHA256
1
0
forked from pool/qemu
qemu/0071-exec-use-qemu_ram_ptr_length-to-acc.patch
Bruce Rogers 481686d650 Accepting request 512570 from home:bfrogers:branches:Virtualization
Include latest security fixes. Also fix support statements. Also adjust to recent libvdeplug-devel package name change.

OBS-URL: https://build.opensuse.org/request/show/512570
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=350
2017-07-25 20:21:37 +00:00

44 lines
1.6 KiB
Diff

From f6658a500e003e91225f59bc2c2305c6b7d2f0d1 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Jul 2017 18:08:40 +0530
Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram
When accessing guest's ram block during DMA operation, use
'qemu_ram_ptr_length' to get ram block pointer. It ensures
that DMA operation of given length is possible; And avoids
any OOB memory access situations.
Reported-by: Alex <broscutamaker@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170712123840.29328-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 04bf2526ce87f21b32c9acba1c5518708c243ad0)
[BR: BSC#1048902 CVE-2017-11334]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
exec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/exec.c b/exec.c
index b47b3f9096..1de9107b61 100644
--- a/exec.c
+++ b/exec.c
@@ -2767,7 +2767,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
}
} else {
/* RAM case */
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
memcpy(ptr, buf, l);
invalidate_and_set_dirty(mr, addr1, l);
}
@@ -2858,7 +2858,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
}
} else {
/* RAM case */
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
memcpy(buf, ptr, l);
}