3d039dc5d8
CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz #1432040) CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872) CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372) CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622) CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578) CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz #1452598) CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623) CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz #1457699) CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz #1459137) CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz #1468497)
62 lines
2.2 KiB
Diff
62 lines
2.2 KiB
Diff
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
Date: Mon, 2 Jan 2017 11:03:33 +0100
|
|
Subject: [PATCH] megasas: fix guest-triggered memory leak
|
|
|
|
If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
|
|
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
|
|
Avoid this by returning only the status from map_dcmd, and loading
|
|
cmd->iov_size in the caller.
|
|
|
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit 765a707000e838c30b18d712fe6cb3dd8e0435f3)
|
|
---
|
|
hw/scsi/megasas.c | 11 ++++++-----
|
|
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
|
index 52a41239cf..ebf03022ed 100644
|
|
--- a/hw/scsi/megasas.c
|
|
+++ b/hw/scsi/megasas.c
|
|
@@ -672,14 +672,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
|
|
trace_megasas_dcmd_invalid_sge(cmd->index,
|
|
cmd->frame->header.sge_count);
|
|
cmd->iov_size = 0;
|
|
- return -1;
|
|
+ return -EINVAL;
|
|
}
|
|
iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
|
|
iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
|
|
pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
|
|
qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
|
|
cmd->iov_size = iov_size;
|
|
- return cmd->iov_size;
|
|
+ return 0;
|
|
}
|
|
|
|
static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
|
|
@@ -1552,19 +1552,20 @@ static const struct dcmd_cmd_tbl_t {
|
|
|
|
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
|
{
|
|
- int opcode, len;
|
|
+ int opcode;
|
|
int retval = 0;
|
|
+ size_t len;
|
|
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
|
|
|
|
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
|
trace_megasas_handle_dcmd(cmd->index, opcode);
|
|
- len = megasas_map_dcmd(s, cmd);
|
|
- if (len < 0) {
|
|
+ if (megasas_map_dcmd(s, cmd) < 0) {
|
|
return MFI_STAT_MEMORY_NOT_AVAILABLE;
|
|
}
|
|
while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
|
|
cmdptr++;
|
|
}
|
|
+ len = cmd->iov_size;
|
|
if (cmdptr->opcode == -1) {
|
|
trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
|
|
retval = megasas_dcmd_dummy(s, cmd);
|