CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz #1373480) CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) CVE-2016-7157: mptsas: invalid memory access (bz #1373505) CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777) CVE-2016-7422: virtio: null pointer dereference (bz #1376756) CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
This commit is contained in:
parent
a2729a240b
commit
3a13ddd514
@ -0,0 +1,82 @@
|
|||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Wed, 31 Aug 2016 12:19:29 +0530
|
||||||
|
Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
|
||||||
|
rings
|
||||||
|
|
||||||
|
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||||
|
process SCSI commands. These descriptors come with their ring
|
||||||
|
buffers. A guest could set the page count for these rings to
|
||||||
|
an arbitrary value, leading to infinite loop or OOB access.
|
||||||
|
Add check to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Tom Victor <vv474172261@gmail.com>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
|
||||||
|
---
|
||||||
|
hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
|
||||||
|
1 file changed, 9 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||||
|
index 5116f4a..4245c15 100644
|
||||||
|
--- a/hw/scsi/vmw_pvscsi.c
|
||||||
|
+++ b/hw/scsi/vmw_pvscsi.c
|
||||||
|
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
||||||
|
return log;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int
|
||||||
|
+static void
|
||||||
|
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||||
|
uint32_t req_ring_size, cmp_ring_size;
|
||||||
|
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||||
|
|
||||||
|
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||||
|
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||||
|
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||||
|
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||||
|
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||||
|
|
||||||
|
/* Flush ring state page changes */
|
||||||
|
smp_wmb();
|
||||||
|
-
|
||||||
|
- return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
||||||
|
|
||||||
|
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
|
||||||
|
for (i = 0; i < rc->cmpRingNumPages; i++) {
|
||||||
|
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
||||||
|
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||||
|
|
||||||
|
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||||
|
|
||||||
|
- pvscsi_dbg_dump_tx_rings_config(rc);
|
||||||
|
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||||
|
+ if (!rc->reqRingNumPages
|
||||||
|
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
||||||
|
+ || !rc->cmpRingNumPages
|
||||||
|
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
||||||
|
return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ pvscsi_dbg_dump_tx_rings_config(rc);
|
||||||
|
+ pvscsi_ring_init_data(&s->rings, rc);
|
||||||
|
+
|
||||||
|
s->rings_info_valid = TRUE;
|
||||||
|
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||||
|
}
|
61
0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
Normal file
61
0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Tue, 6 Sep 2016 02:20:43 +0530
|
||||||
|
Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
|
||||||
|
|
||||||
|
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
|
||||||
|
long time or go into an infinite loop due to two different bugs:
|
||||||
|
|
||||||
|
1) the request descriptor data length is defined to be 64 bit. While
|
||||||
|
building SG list from a request descriptor, it gets truncated to 32bit
|
||||||
|
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
|
||||||
|
situation large 'dataLen' values when data_length is cast to uint32_t and
|
||||||
|
chunk_size becomes always zero. Fix this by removing the incorrect cast.
|
||||||
|
|
||||||
|
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
|
||||||
|
element has a zero length. Get out of the loop early when this happens,
|
||||||
|
by introducing an upper limit on the number of SG list elements.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
|
||||||
|
---
|
||||||
|
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
|
||||||
|
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||||
|
index 4245c15..babac5a 100644
|
||||||
|
--- a/hw/scsi/vmw_pvscsi.c
|
||||||
|
+++ b/hw/scsi/vmw_pvscsi.c
|
||||||
|
@@ -40,6 +40,8 @@
|
||||||
|
#define PVSCSI_MAX_DEVS (64)
|
||||||
|
#define PVSCSI_MSIX_NUM_VECTORS (1)
|
||||||
|
|
||||||
|
+#define PVSCSI_MAX_SG_ELEM 2048
|
||||||
|
+
|
||||||
|
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||||
|
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||||
|
|
||||||
|
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||||
|
static void
|
||||||
|
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||||
|
{
|
||||||
|
- int chunk_size;
|
||||||
|
+ uint32_t chunk_size, elmcnt = 0;
|
||||||
|
uint64_t data_length = r->req.dataLen;
|
||||||
|
PVSCSISGState sg = r->sg;
|
||||||
|
- while (data_length) {
|
||||||
|
- while (!sg.resid) {
|
||||||
|
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
||||||
|
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
||||||
|
pvscsi_get_next_sg_elem(&sg);
|
||||||
|
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
|
||||||
|
r->sg.resid);
|
||||||
|
}
|
||||||
|
- assert(data_length > 0);
|
||||||
|
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
||||||
|
+ chunk_size = MIN(data_length, sg.resid);
|
||||||
|
if (chunk_size) {
|
||||||
|
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
|
||||||
|
}
|
35
0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
Normal file
35
0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Wed, 14 Sep 2016 15:09:12 +0530
|
||||||
|
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
|
||||||
|
|
||||||
|
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||||
|
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||||
|
always returned positive value. Limit IO loop to the ring size.
|
||||||
|
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
|
||||||
|
---
|
||||||
|
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||||
|
index babac5a..a5ce7de 100644
|
||||||
|
--- a/hw/scsi/vmw_pvscsi.c
|
||||||
|
+++ b/hw/scsi/vmw_pvscsi.c
|
||||||
|
@@ -247,8 +247,11 @@ static hwaddr
|
||||||
|
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||||
|
{
|
||||||
|
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||||
|
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||||
|
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||||
|
|
||||||
|
- if (ready_ptr != mgr->consumed_ptr) {
|
||||||
|
+ if (ready_ptr != mgr->consumed_ptr
|
||||||
|
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||||
|
uint32_t next_ready_ptr =
|
||||||
|
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||||
|
uint32_t next_ready_page =
|
42
0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
Normal file
42
0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Thu, 8 Sep 2016 18:15:54 +0530
|
||||||
|
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
|
||||||
|
|
||||||
|
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
|
||||||
|
the computed BITMAP and PIXMAP size are checked against the
|
||||||
|
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
|
||||||
|
Correct these checks to avoid OOB memory access.
|
||||||
|
|
||||||
|
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
|
||||||
|
---
|
||||||
|
hw/display/vmware_vga.c | 12 +++++++-----
|
||||||
|
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||||
|
index e51a05e..6599cf0 100644
|
||||||
|
--- a/hw/display/vmware_vga.c
|
||||||
|
+++ b/hw/display/vmware_vga.c
|
||||||
|
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||||
|
cursor.bpp = vmsvga_fifo_read(s);
|
||||||
|
|
||||||
|
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||||
|
- if (cursor.width > 256 ||
|
||||||
|
- cursor.height > 256 ||
|
||||||
|
- cursor.bpp > 32 ||
|
||||||
|
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||||
|
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||||
|
+ if (cursor.width > 256
|
||||||
|
+ || cursor.height > 256
|
||||||
|
+ || cursor.bpp > 32
|
||||||
|
+ || SVGA_BITMAP_SIZE(x, y)
|
||||||
|
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
||||||
|
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
||||||
|
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
||||||
|
goto badcmd;
|
||||||
|
}
|
||||||
|
|
33
0005-scsi-mptconfig-fix-an-assert-expression.patch
Normal file
33
0005-scsi-mptconfig-fix-an-assert-expression.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Wed, 31 Aug 2016 17:36:07 +0530
|
||||||
|
Subject: [PATCH] scsi: mptconfig: fix an assert expression
|
||||||
|
|
||||||
|
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||||
|
headers, mptsas_config_pack() should assert that the size
|
||||||
|
fits in a byte. However, the size is expressed in 32-bit
|
||||||
|
units, so up to 1020 bytes fit. The assertion was only
|
||||||
|
allowing replies up to 252 bytes, so fix it.
|
||||||
|
|
||||||
|
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
|
||||||
|
---
|
||||||
|
hw/scsi/mptconfig.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||||
|
index 7071854..3e4f400 100644
|
||||||
|
--- a/hw/scsi/mptconfig.c
|
||||||
|
+++ b/hw/scsi/mptconfig.c
|
||||||
|
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
||||||
|
va_end(ap);
|
||||||
|
|
||||||
|
if (data) {
|
||||||
|
- assert(ret < 256 && (ret % 4) == 0);
|
||||||
|
+ assert(ret / 4 < 256 && (ret % 4) == 0);
|
||||||
|
stb_p(*data + 1, ret / 4);
|
||||||
|
}
|
||||||
|
return ret;
|
37
0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
Normal file
37
0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Date: Mon, 29 Aug 2016 11:35:37 +0200
|
||||||
|
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
|
||||||
|
|
||||||
|
These issues cause respectively a QEMU crash and a leak of 2 bytes of
|
||||||
|
stack. They were discovered by VictorV of 360 Marvel Team.
|
||||||
|
|
||||||
|
Reported-by: Tom Victor <i-tangtianwen@360.cm>
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
|
||||||
|
---
|
||||||
|
hw/scsi/mptconfig.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||||
|
index 3e4f400..87a416a 100644
|
||||||
|
--- a/hw/scsi/mptconfig.c
|
||||||
|
+++ b/hw/scsi/mptconfig.c
|
||||||
|
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
||||||
|
{
|
||||||
|
/* VPD - all zeros */
|
||||||
|
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
||||||
|
- "s256");
|
||||||
|
+ "*s256");
|
||||||
|
}
|
||||||
|
|
||||||
|
static
|
||||||
|
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
|
||||||
|
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
|
||||||
|
"*l*lwwb*b*b*blww",
|
||||||
|
pcic->vendor_id, pcic->device_id, pcic->revision,
|
||||||
|
- pcic->subsystem_vendor_id,
|
||||||
|
+ pcic->class_id, pcic->subsystem_vendor_id,
|
||||||
|
pcic->subsystem_id);
|
||||||
|
}
|
||||||
|
|
29
0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
Normal file
29
0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Date: Tue, 13 Sep 2016 03:20:03 -0700
|
||||||
|
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
|
||||||
|
|
||||||
|
If the xhci uses msix, it doesn't free the corresponding
|
||||||
|
memory, thus leading a memory leak. This patch avoid this.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
|
||||||
|
---
|
||||||
|
hw/usb/hcd-xhci.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||||
|
index 188f954..281a2a5 100644
|
||||||
|
--- a/hw/usb/hcd-xhci.c
|
||||||
|
+++ b/hw/usb/hcd-xhci.c
|
||||||
|
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||||
|
/* destroy msix memory region */
|
||||||
|
if (dev->msix_table && dev->msix_pba
|
||||||
|
&& dev->msix_entry_used) {
|
||||||
|
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||||
|
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||||
|
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||||
|
}
|
||||||
|
|
||||||
|
usb_bus_release(&xhci->bus);
|
@ -0,0 +1,32 @@
|
|||||||
|
From: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Date: Mon, 12 Sep 2016 18:14:11 +0530
|
||||||
|
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
|
||||||
|
|
||||||
|
When processing IO request in mptsas, it uses g_new to allocate
|
||||||
|
a 'req' object. If an error occurs before 'req->sreq' is
|
||||||
|
allocated, It could lead to an OOB write in mptsas_free_request
|
||||||
|
function. Use g_new0 to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
|
||||||
|
---
|
||||||
|
hw/scsi/mptsas.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||||
|
index 0e0a22f..eaae1bb 100644
|
||||||
|
--- a/hw/scsi/mptsas.c
|
||||||
|
+++ b/hw/scsi/mptsas.c
|
||||||
|
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
|
|
||||||
|
- req = g_new(MPTSASRequest, 1);
|
||||||
|
+ req = g_new0(MPTSASRequest, 1);
|
||||||
|
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||||
|
req->scsi_io = *scsi_io;
|
||||||
|
req->dev = s;
|
35
0009-virtio-add-check-for-descriptor-s-mapped-address.patch
Normal file
35
0009-virtio-add-check-for-descriptor-s-mapped-address.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Mon, 19 Sep 2016 23:55:45 +0530
|
||||||
|
Subject: [PATCH] virtio: add check for descriptor's mapped address
|
||||||
|
|
||||||
|
virtio back end uses set of buffers to facilitate I/O operations.
|
||||||
|
If its size is too large, 'cpu_physical_memory_map' could return
|
||||||
|
a null address. This would result in a null dereference while
|
||||||
|
un-mapping descriptors. Add check to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||||
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||||
|
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
|
||||||
|
---
|
||||||
|
hw/virtio/virtio.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||||
|
index 74c085c..eabe573 100644
|
||||||
|
--- a/hw/virtio/virtio.c
|
||||||
|
+++ b/hw/virtio/virtio.c
|
||||||
|
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||||
|
}
|
||||||
|
|
||||||
|
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||||
|
+ if (!iov[num_sg].iov_base) {
|
||||||
|
+ error_report("virtio: bogus descriptor or out of resources");
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
iov[num_sg].iov_len = len;
|
||||||
|
addr[num_sg] = pa;
|
||||||
|
|
49
0010-net-mcf-limit-buffer-descriptor-count.patch
Normal file
49
0010-net-mcf-limit-buffer-descriptor-count.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||||
|
Subject: [PATCH] net: mcf: limit buffer descriptor count
|
||||||
|
|
||||||
|
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||||
|
data flow to/fro receive & transmit queues. While transmitting
|
||||||
|
packets, it could continue to read buffer descriptors if a buffer
|
||||||
|
descriptor has length of zero and has crafted values in bd.flags.
|
||||||
|
Set upper limit to number of buffer descriptors.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||||
|
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
|
||||||
|
---
|
||||||
|
hw/net/mcf_fec.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||||
|
index 0ee8ad9..d31fea1 100644
|
||||||
|
--- a/hw/net/mcf_fec.c
|
||||||
|
+++ b/hw/net/mcf_fec.c
|
||||||
|
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||||
|
#define DPRINTF(fmt, ...) do {} while(0)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define FEC_MAX_DESC 1024
|
||||||
|
#define FEC_MAX_FRAME_SIZE 2032
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||||
|
uint32_t addr;
|
||||||
|
mcf_fec_bd bd;
|
||||||
|
int frame_size;
|
||||||
|
- int len;
|
||||||
|
+ int len, descnt = 0;
|
||||||
|
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||||
|
uint8_t *ptr;
|
||||||
|
|
||||||
|
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||||
|
ptr = frame;
|
||||||
|
frame_size = 0;
|
||||||
|
addr = s->tx_descriptor;
|
||||||
|
- while (1) {
|
||||||
|
+ while (descnt++ < FEC_MAX_DESC) {
|
||||||
|
mcf_fec_read_bd(&bd, addr);
|
||||||
|
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||||
|
addr, bd.flags, bd.length, bd.data);
|
@ -0,0 +1,65 @@
|
|||||||
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Date: Mon, 10 Oct 2016 12:46:22 +0200
|
||||||
|
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
|
||||||
|
|
||||||
|
Needed to avoid we run in circles forever in case the guest builds
|
||||||
|
an endless loop with link trbs.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Tested-by: P J P <ppandit@redhat.com>
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
|
||||||
|
(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
|
||||||
|
---
|
||||||
|
hw/usb/hcd-xhci.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||||
|
index 281a2a5..8a9a31a 100644
|
||||||
|
--- a/hw/usb/hcd-xhci.c
|
||||||
|
+++ b/hw/usb/hcd-xhci.c
|
||||||
|
@@ -54,6 +54,8 @@
|
||||||
|
* to the specs when it gets them */
|
||||||
|
#define ER_FULL_HACK
|
||||||
|
|
||||||
|
+#define TRB_LINK_LIMIT 4
|
||||||
|
+
|
||||||
|
#define LEN_CAP 0x40
|
||||||
|
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
|
||||||
|
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
|
||||||
|
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||||
|
dma_addr_t *addr)
|
||||||
|
{
|
||||||
|
PCIDevice *pci_dev = PCI_DEVICE(xhci);
|
||||||
|
+ uint32_t link_cnt = 0;
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
TRBType type;
|
||||||
|
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||||
|
ring->dequeue += TRB_SIZE;
|
||||||
|
return type;
|
||||||
|
} else {
|
||||||
|
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
ring->dequeue = xhci_mask64(trb->parameter);
|
||||||
|
if (trb->control & TRB_LK_TC) {
|
||||||
|
ring->ccs = !ring->ccs;
|
||||||
|
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||||
|
bool ccs = ring->ccs;
|
||||||
|
/* hack to bundle together the two/three TDs that make a setup transfer */
|
||||||
|
bool control_td_set = 0;
|
||||||
|
+ uint32_t link_cnt = 0;
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
TRBType type;
|
||||||
|
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||||
|
type = TRB_TYPE(trb);
|
||||||
|
|
||||||
|
if (type == TR_LINK) {
|
||||||
|
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||||
|
+ return -length;
|
||||||
|
+ }
|
||||||
|
dequeue = xhci_mask64(trb.parameter);
|
||||||
|
if (trb.control & TRB_LK_TC) {
|
||||||
|
ccs = !ccs;
|
29
0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
Normal file
29
0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Date: Sun, 18 Sep 2016 19:48:35 -0700
|
||||||
|
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
|
||||||
|
|
||||||
|
While processing isochronous transfer descriptors(iTD), if the page
|
||||||
|
select(PG) field value is out of bands it will return. In this
|
||||||
|
situation the ehci's sg list is not freed thus leading to a memory
|
||||||
|
leak issue. This patch avoid this.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||||
|
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||||
|
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
|
||||||
|
---
|
||||||
|
hw/usb/hcd-ehci.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||||
|
index b093db7..f4ece9a 100644
|
||||||
|
--- a/hw/usb/hcd-ehci.c
|
||||||
|
+++ b/hw/usb/hcd-ehci.c
|
||||||
|
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||||
|
if (off + len > 4096) {
|
||||||
|
/* transfer crosses page border */
|
||||||
|
if (pg == 6) {
|
||||||
|
+ qemu_sglist_destroy(&ehci->isgl);
|
||||||
|
return -1; /* avoid page pg + 1 */
|
||||||
|
}
|
||||||
|
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
@ -0,0 +1,50 @@
|
|||||||
|
From: Hans de Goede <hdegoede@redhat.com>
|
||||||
|
Date: Mon, 10 Oct 2016 12:45:13 +0200
|
||||||
|
Subject: [PATCH] usb-redir: allocate buffers before waking up the host adapter
|
||||||
|
|
||||||
|
Needed to make sure usb redirection is prepared to actually handle the
|
||||||
|
callback from the usb host adapter. Without this interrupt endpoints
|
||||||
|
don't work on xhci.
|
||||||
|
|
||||||
|
Note: On ehci the usb_wakeup() call only schedules a BH for the actual
|
||||||
|
work, which hides this bug because the allocation happens before ehci
|
||||||
|
calls back even without this patch.
|
||||||
|
|
||||||
|
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||||
|
Message-id: 1476096313-7730-1-git-send-email-kraxel@redhat.com
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
(cherry picked from commit d5c42857d6b0c35028897df8dfc3749eba6f6de3)
|
||||||
|
---
|
||||||
|
hw/usb/redirect.c | 10 +++++++---
|
||||||
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||||
|
index 444672a..d4ca026 100644
|
||||||
|
--- a/hw/usb/redirect.c
|
||||||
|
+++ b/hw/usb/redirect.c
|
||||||
|
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ep & USB_DIR_IN) {
|
||||||
|
+ bool q_was_empty;
|
||||||
|
+
|
||||||
|
if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
|
||||||
|
DPRINTF("received int packet while not started ep %02X\n", ep);
|
||||||
|
free(data);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
|
||||||
|
- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
||||||
|
- }
|
||||||
|
+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
|
||||||
|
|
||||||
|
/* bufp_alloc also adds the packet to the ep queue */
|
||||||
|
bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
|
||||||
|
+
|
||||||
|
+ if (q_was_empty) {
|
||||||
|
+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
* We report output interrupt packets as completed directly upon
|
@ -1,29 +0,0 @@
|
|||||||
diff -up qemu-2.7.0/hw/usb/redirect.c~ qemu-2.7.0/hw/usb/redirect.c
|
|
||||||
--- qemu-2.7.0/hw/usb/redirect.c~ 2016-09-02 17:34:20.000000000 +0200
|
|
||||||
+++ qemu-2.7.0/hw/usb/redirect.c 2016-10-10 09:18:35.319562664 +0200
|
|
||||||
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(vo
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ep & USB_DIR_IN) {
|
|
||||||
+ bool q_was_empty;
|
|
||||||
+
|
|
||||||
if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
|
|
||||||
DPRINTF("received int packet while not started ep %02X\n", ep);
|
|
||||||
free(data);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
|
|
||||||
- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
|
||||||
- }
|
|
||||||
+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
|
|
||||||
|
|
||||||
/* bufp_alloc also adds the packet to the ep queue */
|
|
||||||
bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
|
|
||||||
+
|
|
||||||
+ if (q_was_empty) {
|
|
||||||
+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
/*
|
|
||||||
* We report output interrupt packets as completed directly upon
|
|
44
qemu.spec
44
qemu.spec
@ -68,7 +68,7 @@
|
|||||||
Summary: QEMU is a FAST! processor emulator
|
Summary: QEMU is a FAST! processor emulator
|
||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 2.7.0
|
Version: 2.7.0
|
||||||
Release: 3%{?rcrel}%{?dist}
|
Release: 4%{?rcrel}%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: GPLv2+ and LGPLv2+ and BSD
|
License: GPLv2+ and LGPLv2+ and BSD
|
||||||
Group: Development/Tools
|
Group: Development/Tools
|
||||||
@ -100,7 +100,33 @@ Source20: kvm.conf
|
|||||||
# /etc/sysctl.d/50-kvm-s390x.conf
|
# /etc/sysctl.d/50-kvm-s390x.conf
|
||||||
Source21: 50-kvm-s390x.conf
|
Source21: 50-kvm-s390x.conf
|
||||||
|
|
||||||
Patch1: qemu-2.7.0-usb-redirect-wakeup.patch
|
# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
|
||||||
|
Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
|
||||||
|
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||||
|
Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||||
|
# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
|
||||||
|
# #1373480)
|
||||||
|
Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
|
||||||
|
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||||
|
Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||||
|
# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
|
||||||
|
Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
|
||||||
|
Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
|
||||||
|
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||||
|
Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||||
|
# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
|
||||||
|
Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
|
||||||
|
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||||
|
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||||
|
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||||
|
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
|
||||||
|
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||||
|
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||||
|
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||||
|
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||||
|
# Fix interrupt endpoints not working with network/spice USB redirection on
|
||||||
|
# guest with an emulated xhci controller (bz #1382331)
|
||||||
|
Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
||||||
|
|
||||||
# documentation deps
|
# documentation deps
|
||||||
BuildRequires: texi2html
|
BuildRequires: texi2html
|
||||||
@ -1565,6 +1591,20 @@ getent passwd qemu >/dev/null || \
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Oct 15 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-4
|
||||||
|
- CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
|
||||||
|
- CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||||
|
- CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
|
||||||
|
#1373480)
|
||||||
|
- CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||||
|
- CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
|
||||||
|
- CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||||
|
- CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
|
||||||
|
- CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||||
|
- CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||||
|
- CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||||
|
- CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||||
|
|
||||||
* Mon Oct 10 2016 Hans de Goede <hdegoede@redhat.com> - 2:2.7.0-3
|
* Mon Oct 10 2016 Hans de Goede <hdegoede@redhat.com> - 2:2.7.0-3
|
||||||
- Fix interrupt endpoints not working with network/spice USB redirection
|
- Fix interrupt endpoints not working with network/spice USB redirection
|
||||||
on guest with an emulated xhci controller (rhbz#1382331)
|
on guest with an emulated xhci controller (rhbz#1382331)
|
||||||
|
Loading…
Reference in New Issue
Block a user