rpms/qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
d481c533c1
qemu/0043-net-imx-limit-buffer-descriptor-count.patch
Cole Robinson eaa6ce4fe2 CVE-2016-7907: net: imx: infinite loop (bz #1381182) 
CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110)
CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210)
CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200)
CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283)
CVE-2017-5578: virtio-gpu: memory leakage (bz #1415797)
CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz #1417560)
CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344)
CVE-2017-5857: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref (bz #1418383)
CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz #1419700)
CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz #1422001)
CVE-2017-6058: vmxnet3: OOB access when doing vlan stripping (bz #1423359)
CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz #1429434)
CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz #1418206)
CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419)
Fix spice GL with new mesa/libglvnd (bz #1431905)
2017-03-15 08:12:24 -04:00

62 lines
1.8 KiB
Diff
Raw Blame History

From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 2 Feb 2017 16:16:24 +0530
Subject: [PATCH] net: imx: limit buffer descriptor count
i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 81f17e0d435c3db3a3e67e0d32ebf9c98973211f)
---
hw/net/imx_fec.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 1c415ab..6b42c10 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -55,6 +55,8 @@
} \
} while (0)
+#define IMX_MAX_DESC 1024
+
static const char *imx_default_reg_name(IMXFECState *s, uint32_t index)
{
static char tmp[20];
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
static void imx_fec_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXFECBufDesc bd;
int len;
@@ -453,12 +455,12 @@ static void imx_fec_do_tx(IMXFECState *s)
static void imx_enet_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXENETBufDesc bd;
int len;
Reference in New Issue View Git Blame Copy Permalink