b24b7f1644
CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766) CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008) CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720) CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz #1294787) CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023) Fix modules.d/kvm.conf example syntax (bz #1298823)
37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Mon, 11 Jan 2016 14:10:42 -0500
|
|
Subject: [PATCH] ide: ahci: reset ncq object to unused on error
|
|
|
|
When processing NCQ commands, AHCI device emulation prepares a
|
|
NCQ transfer object; To which an aio control block(aiocb) object
|
|
is assigned in 'execute_ncq_command'. In case, when the NCQ
|
|
command is invalid, the 'aiocb' object is not assigned, and NCQ
|
|
transfer object is left as 'used'. This leads to a use after
|
|
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
|
|
Reset NCQ transfer object to 'unused' to avoid it.
|
|
|
|
[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
|
|
|
|
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Reviewed-by: John Snow <jsnow@redhat.com>
|
|
Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
|
|
Signed-off-by: John Snow <jsnow@redhat.com>
|
|
(cherry picked from commit 4ab0359a8ae182a7ac5c99609667273167703fab)
|
|
---
|
|
hw/ide/ahci.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
|
|
index dd1912e..17f1cbd 100644
|
|
--- a/hw/ide/ahci.c
|
|
+++ b/hw/ide/ahci.c
|
|
@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
|
|
ide_state->error = ABRT_ERR;
|
|
ide_state->status = READY_STAT | ERR_STAT;
|
|
ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
|
|
+ ncq_tfs->used = 0;
|
|
}
|
|
|
|
static void ncq_finish(NCQTransferState *ncq_tfs)
|