diff options
author | Leo Famulari <leo@famulari.name> | 2017-07-17 22:14:29 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-07-17 23:47:03 -0400 |
commit | 4c4485f30491a03040bd3081e1e3d3dc9e9b7716 (patch) | |
tree | df33c9152e01193b141078121b8d2b68767c9db7 /gnu/packages/patches | |
parent | 144c8db9bd91bf5470be7a2c747885f9325f96bc (diff) | |
download | guix-4c4485f30491a03040bd3081e1e3d3dc9e9b7716.tar.gz |
gnu: qemu: Fix CVE-2017-11334.
* gnu/packages/patches/qemu-CVE-2017-11334.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/virtualization.scm (qemu)[source]: Use it.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-11334.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-11334.patch b/gnu/packages/patches/qemu-CVE-2017-11334.patch new file mode 100644 index 0000000000..cb68c803aa --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-11334.patch @@ -0,0 +1,52 @@ +Fix CVE-2017-11334: + +https://bugzilla.redhat.com/show_bug.cgi?id=1471638 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11334 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 + +From 04bf2526ce87f21b32c9acba1c5518708c243ad0 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 12 Jul 2017 18:08:40 +0530 +Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram + +When accessing guest's ram block during DMA operation, use +'qemu_ram_ptr_length' to get ram block pointer. It ensures +that DMA operation of given length is possible; And avoids +any OOB memory access situations. + +Reported-by: Alex <broscutamaker@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20170712123840.29328-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec.c b/exec.c +index a083ff89ad..ad103ce483 100644 +--- a/exec.c ++++ b/exec.c +@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(ptr, buf, l); + invalidate_and_set_dirty(mr, addr1, l); + } +@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(buf, ptr, l); + } + +-- +2.13.3 + |