335584f502
CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578) CVE-2017-7493: 9pfs: guest privilege escalation in virtfs mapped-file mode (bz #1451711) CVE-2017-9503: megasas: null pointer dereference while processing megasas command (bz #1459478) CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz #1468497) CVE-2017-9524: nbd: segfault due to client non-negotiation (bz #1460172) CVE-2017-10664: qemu-nbd: server breaks with SIGPIPE upon client abort (bz #1466192)
31 lines
1.2 KiB
Diff
31 lines
1.2 KiB
Diff
From: P J P <ppandit@redhat.com>
|
|
Date: Tue, 25 Apr 2017 18:36:23 +0530
|
|
Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
|
|
|
|
A guest could set the message ring page count to zero, resulting in
|
|
infinite loop. Add check to avoid it.
|
|
|
|
Reported-by: YY Z <bigbird475958471@gmail.com>
|
|
Signed-off-by: P J P <ppandit@redhat.com>
|
|
Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
|
|
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit f68826989cd4d1217797251339579c57b3c0934e)
|
|
---
|
|
hw/scsi/vmw_pvscsi.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
|
index 75575461e2..4a106da856 100644
|
|
--- a/hw/scsi/vmw_pvscsi.c
|
|
+++ b/hw/scsi/vmw_pvscsi.c
|
|
@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
|
uint32_t len_log2;
|
|
uint32_t ring_size;
|
|
|
|
- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
|
+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
|
return -1;
|
|
}
|
|
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
|