1 files changed, 40 insertions, 0 deletions

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch
new file mode 100644
index 000000000000..bfe4c7d89f2b
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch
@@ -0,0 +1,40 @@
+[Qemu-devel] [PULL 21/41] exec: use qemu_ram_ptr_length to access guest 
+From: Prasad J Pandit <address@hidden>
+
+When accessing guest's ram block during DMA operation, use
+'qemu_ram_ptr_length' to get ram block pointer. It ensures
+that DMA operation of given length is possible; And avoids
+any OOB memory access situations.
+
+Reported-by: Alex <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+Message-Id: <address@hidden>
+Signed-off-by: Paolo Bonzini <address@hidden>
+---
+ exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/exec.c b/exec.c
+index a083ff8..ad103ce 100644
+--- a/exec.c
++++ b/exec.c
+@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
+             }
+         } else {
+             /* RAM case */
+-            ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
++            ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
+             memcpy(ptr, buf, l);
+             invalidate_and_set_dirty(mr, addr1, l);
+         }
+@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
+             }
+         } else {
+             /* RAM case */
+-            ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
++            ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
+             memcpy(buf, ptr, l);
+         }
+ 
+-- 
+1.8.3.1