- bsc#960093 - VUL-0: CVE-2015-8615: xen: x86: unintentional

logging upon guest changing callback method (XSA-169) 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch - bsc#959387 - VUL-0: CVE-2015-8568 CVE-2015-8567: xen: qemu: net: vmxnet3: host memory leakage CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch - bsc#957988 - VUL-0: CVE-2015-8550: xen: paravirtualized drivers incautious about shared memory contents (XSA-155) xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch xsa155-qemuu-qdisk-double-access.patch xsa155-qemut-qdisk-double-access.patch xsa155-qemuu-xenfb.patch xsa155-qemut-xenfb.patch - bsc#959006 - VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state results in DoS CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch - bsc#958918 - VUL-0: CVE-2015-7549: xen: qemu pci: null pointer dereference issue CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch - bsc#958493 - VUL-0: CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point exception CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch - bsc#958007 - VUL-0: CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X handling (XSA-164) xsa164.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=393
2016-01-04 22:25:00 +00:00
parent 881e6522ea
commit 8292994238
27 changed files with 1363 additions and 14 deletions
--- a/CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
+++ b/CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
@@ -0,0 +1,34 @@
+References: bsc#956832 CVE-2015-8345
+
+From: Prasad J Pandit <address@hidden>
+Date: Fri, 16 Oct 2015 11:33:27 +0530
+Subject: eepro100: prevent an infinite loop over same command block
+
+action_command() routine executes a chain of commands located
+in the Command Block List(CBL). Each Command Block(CB) has a
+link to the next CB in the list, given by 's->tx.link'.
+This is used in conjunction with the base address 's->cu_base'.
+
+An infinite loop unfolds if the 'link' to the next CB is
+same as the previous one, the loop ends up executing the same
+command over and over again.
+
+Reported-by: Qinghao Tang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/net/eepro100.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
+===================================================================
+--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
+@@ -674,6 +674,8 @@ static void eepro100_cu_command(EEPRO100
+       next_command:
+         cb_address = s->cu_base + s->cu_offset;
+         cpu_physical_memory_read(cb_address, (uint8_t *) & tx, sizeof(tx));
+        if (tx.link == s->cu_offset)
+            break;
+         uint16_t status = le16_to_cpu(tx.status);
+         uint16_t command = le16_to_cpu(tx.command);
+         logout