808a2e2dfa
CVE-2016-6833: vmxnet3: use-after-free (bz #1368982) CVE-2016-6490: virtio: infinite loop in virtqueue_pop (bz #1361428) CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) CVE-2016-7161: net: Heap overflow in xlnx.xps-ethernetlite (bz #1379298) CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) CVE-2016-7422: virtio: null pointer dereference (bz #1376756) CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669) Don't depend on edk2 roms where they aren't available (bz #1373576)
30 lines
1.1 KiB
Diff
30 lines
1.1 KiB
Diff
From: Li Qiang <liqiang6-s@360.cn>
|
|
Date: Sun, 18 Sep 2016 19:48:35 -0700
|
|
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
|
|
|
|
While processing isochronous transfer descriptors(iTD), if the page
|
|
select(PG) field value is out of bands it will return. In this
|
|
situation the ehci's sg list is not freed thus leading to a memory
|
|
leak issue. This patch avoid this.
|
|
|
|
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
|
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
|
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
|
|
---
|
|
hw/usb/hcd-ehci.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
|
index 43a8f7a..92241bb 100644
|
|
--- a/hw/usb/hcd-ehci.c
|
|
+++ b/hw/usb/hcd-ehci.c
|
|
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
|
if (off + len > 4096) {
|
|
/* transfer crosses page border */
|
|
if (pg == 6) {
|
|
+ qemu_sglist_destroy(&ehci->isgl);
|
|
return -1; /* avoid page pg + 1 */
|
|
}
|
|
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|