808a2e2dfa
CVE-2016-6833: vmxnet3: use-after-free (bz #1368982) CVE-2016-6490: virtio: infinite loop in virtqueue_pop (bz #1361428) CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) CVE-2016-7161: net: Heap overflow in xlnx.xps-ethernetlite (bz #1379298) CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) CVE-2016-7422: virtio: null pointer dereference (bz #1376756) CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669) Don't depend on edk2 roms where they aren't available (bz #1373576)
34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From: Li Qiang <liqiang6-s@360.cn>
|
|
Date: Mon, 8 Aug 2016 18:08:31 +0530
|
|
Subject: [PATCH] net: vmxnet3: check for device_active before write
|
|
|
|
Vmxnet3 device emulator does not check if the device is active,
|
|
before using it for write. It leads to a use after free issue,
|
|
if the vmxnet3_io_bar0_write routine is called after the device is
|
|
deactivated. Add check to avoid it.
|
|
|
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Acked-by: Dmitry Fleytman <dmitry@daynix.com>
|
|
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
(cherry picked from commit 6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8)
|
|
---
|
|
hw/net/vmxnet3.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
|
index 20f26b7..a6ce16e 100644
|
|
--- a/hw/net/vmxnet3.c
|
|
+++ b/hw/net/vmxnet3.c
|
|
@@ -1158,6 +1158,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
|
|
{
|
|
VMXNET3State *s = opaque;
|
|
|
|
+ if (!s->device_active) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
|
|
VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
|
|
int tx_queue_idx =
|