ea444bfb8a
security fixes OBS-URL: https://build.opensuse.org/request/show/718651 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=482
34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Thu, 25 Apr 2019 12:05:34 +0530
|
|
Subject: qxl: check release info object
|
|
|
|
When releasing spice resources in release_resource() routine,
|
|
if release info object 'ext.info' is null, it leads to null
|
|
pointer dereference. Add check to avoid it.
|
|
|
|
Reported-by: Bugs SysSec <bugs-syssec@rub.de>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Message-id: 20190425063534.32747-1-ppandit@redhat.com
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
(cherry picked from commit d52680fc932efb8a2f334cc6993e705ed1e31e99)
|
|
[LY: BSC#1135902 CVE-2019-12155]
|
|
Signed-off-by: Liang Yan <lyan@suse.com>
|
|
---
|
|
hw/display/qxl.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
|
index 5c38e6e906..3880a7410b 100644
|
|
--- a/hw/display/qxl.c
|
|
+++ b/hw/display/qxl.c
|
|
@@ -768,6 +768,9 @@ static void interface_release_resource(QXLInstance *sin,
|
|
uint32_t prod;
|
|
uint64_t id;
|
|
|
|
+ if (!ext.info) {
|
|
+ return;
|
|
+ }
|
|
if (ext.group_id == MEMSLOT_GROUP_HOST) {
|
|
/* host group -> vga mode update request */
|
|
QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
|