CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110) CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210) CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200) CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283) CVE-2017-5578: virtio-gpu: memory leakage (bz #1415797) CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz #1417560) CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344) CVE-2017-5857: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref (bz #1418383) CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz #1419700) CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz #1422001) CVE-2017-6058: vmxnet3: OOB access when doing vlan stripping (bz #1423359) CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz #1429434) CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz #1418206) CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419) Fix spice GL with new mesa/libglvnd (bz #1431905)
62 lines
1.8 KiB
Diff
62 lines
1.8 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Thu, 2 Feb 2017 16:16:24 +0530
|
|
Subject: [PATCH] net: imx: limit buffer descriptor count
|
|
|
|
i.MX Fast Ethernet Controller uses buffer descriptors to manage
|
|
data flow to/fro receive & transmit queues. While transmitting
|
|
packets, it could continue to read buffer descriptors if a buffer
|
|
descriptor has length of zero and has crafted values in bd.flags.
|
|
Set an upper limit to number of buffer descriptors.
|
|
|
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
(cherry picked from commit 81f17e0d435c3db3a3e67e0d32ebf9c98973211f)
|
|
---
|
|
hw/net/imx_fec.c | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
|
index 1c415ab..6b42c10 100644
|
|
--- a/hw/net/imx_fec.c
|
|
+++ b/hw/net/imx_fec.c
|
|
@@ -55,6 +55,8 @@
|
|
} \
|
|
} while (0)
|
|
|
|
+#define IMX_MAX_DESC 1024
|
|
+
|
|
static const char *imx_default_reg_name(IMXFECState *s, uint32_t index)
|
|
{
|
|
static char tmp[20];
|
|
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
|
|
|
static void imx_fec_do_tx(IMXFECState *s)
|
|
{
|
|
- int frame_size = 0;
|
|
+ int frame_size = 0, descnt = 0;
|
|
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
|
uint8_t *ptr = frame;
|
|
uint32_t addr = s->tx_descriptor;
|
|
|
|
- while (1) {
|
|
+ while (descnt++ < IMX_MAX_DESC) {
|
|
IMXFECBufDesc bd;
|
|
int len;
|
|
|
|
@@ -453,12 +455,12 @@ static void imx_fec_do_tx(IMXFECState *s)
|
|
|
|
static void imx_enet_do_tx(IMXFECState *s)
|
|
{
|
|
- int frame_size = 0;
|
|
+ int frame_size = 0, descnt = 0;
|
|
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
|
uint8_t *ptr = frame;
|
|
uint32_t addr = s->tx_descriptor;
|
|
|
|
- while (1) {
|
|
+ while (descnt++ < IMX_MAX_DESC) {
|
|
IMXENETBufDesc bd;
|
|
int len;
|
|
|