diff options
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch')
-rw-r--r-- | app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch new file mode 100644 index 000000000000..bfe4c7d89f2b --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch @@ -0,0 +1,40 @@ +[Qemu-devel] [PULL 21/41] exec: use qemu_ram_ptr_length to access guest +From: Prasad J Pandit <address@hidden> + +When accessing guest's ram block during DMA operation, use +'qemu_ram_ptr_length' to get ram block pointer. It ensures +that DMA operation of given length is possible; And avoids +any OOB memory access situations. + +Reported-by: Alex <address@hidden> +Signed-off-by: Prasad J Pandit <address@hidden> +Message-Id: <address@hidden> +Signed-off-by: Paolo Bonzini <address@hidden> +--- + exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec.c b/exec.c +index a083ff8..ad103ce 100644 +--- a/exec.c ++++ b/exec.c +@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(ptr, buf, l); + invalidate_and_set_dirty(mr, addr1, l); + } +@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(buf, ptr, l); + } + +-- +1.8.3.1 |