f081074661
CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876) IPv6 DNS problems in qemu user networking (bz #1401165) Fix crash in qxl memslot_get_virt (bz #1405847) CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161) spec: Pull in ipxe/vgabios links via -common package (bz #1431403) Clean up binfmt.d configuration files (bz #1394859)
36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Wed, 12 Oct 2016 18:07:41 +0530
|
|
Subject: [PATCH] dma: rc4030: limit interval timer reload value
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The JAZZ RC4030 chipset emulator has a periodic timer and
|
|
associated interval reload register. The reload value is used
|
|
as divider when computing timer's next tick value. If reload
|
|
value is large, it could lead to divide by zero error. Limit
|
|
the interval reload value to avoid it.
|
|
|
|
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
|
|
Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
|
|
(cherry picked from commit c0a3172fa6bbddcc73192f2a2c48d0bf3a7ba61c)
|
|
---
|
|
hw/dma/rc4030.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
|
|
index 2f2576f..c1b4997 100644
|
|
--- a/hw/dma/rc4030.c
|
|
+++ b/hw/dma/rc4030.c
|
|
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
|
|
break;
|
|
/* Interval timer reload */
|
|
case 0x0228:
|
|
- s->itr = val;
|
|
+ s->itr = val & 0x01FF;
|
|
qemu_irq_lower(s->timer_irq);
|
|
set_next_tick(s);
|
|
break;
|