qemu/0034-usb-ehci-fix-memory-le...

From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 8 Nov 2016 04:11:10 -0800
Subject: [PATCH] usb: ehci: fix memory leak in ehci_init_transfer

In ehci_init_transfer function, if the 'cpage' is bigger than 4,
it doesn't free the 'p->sgl' once allocated previously thus leading
a memory leak issue. This patch avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 791f97758e223de3290592d169f8e6339c281714)
---
 hw/usb/hcd-ehci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index f4ece9a..7622a3a 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)
     while (bytes > 0) {
         if (cpage > 4) {
             fprintf(stderr, "cpage out of range (%d)\n", cpage);
+            qemu_sglist_destroy(&p->sgl);
             return -1;
         }
CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) Infinite loop vulnerability in a9_gtimer_update (bz #1388300) CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) 2017-01-16 21:04:06 +00:00			`From: Li Qiang <liqiang6-s@360.cn>`
			`Date: Tue, 8 Nov 2016 04:11:10 -0800`
			`Subject: [PATCH] usb: ehci: fix memory leak in ehci_init_transfer`

			`In ehci_init_transfer function, if the 'cpage' is bigger than 4,`
			`it doesn't free the 'p->sgl' once allocated previously thus leading`
			`a memory leak issue. This patch avoid this.`

			`Signed-off-by: Li Qiang <liqiang6-s@360.cn>`
			`Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com`
			`Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>`
			`(cherry picked from commit 791f97758e223de3290592d169f8e6339c281714)`
			`---`
			`hw/usb/hcd-ehci.c \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c`
			`index f4ece9a..7622a3a 100644`
			`--- a/hw/usb/hcd-ehci.c`
			`+++ b/hw/usb/hcd-ehci.c`
			`@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)`
			`while (bytes > 0) {`
			`if (cpage > 4) {`
			`fprintf(stderr, "cpage out of range (%d)\n", cpage);`
			`+ qemu_sglist_destroy(&p->sgl);`
			`return -1;`
			`}`