diff options
Diffstat (limited to 'system/xen/xsa/xsa184-qemut-master.patch')
-rw-r--r-- | system/xen/xsa/xsa184-qemut-master.patch | 43 |
1 files changed, 0 insertions, 43 deletions
diff --git a/system/xen/xsa/xsa184-qemut-master.patch b/system/xen/xsa/xsa184-qemut-master.patch deleted file mode 100644 index d15167f4ac6fd..0000000000000 --- a/system/xen/xsa/xsa184-qemut-master.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001 -From: P J P <ppandit@redhat.com> -Date: Tue, 26 Jul 2016 15:31:59 +0100 -Subject: [PATCH] virtio: error out if guest exceeds virtqueue size - -A broken or malicious guest can submit more requests than the virtqueue -size permits. - -The guest can submit requests without bothering to wait for completion -and is therefore not bound by virtqueue size. This requires reusing -vring descriptors in more than one request, which is incorrect but -possible. Processing a request allocates a VirtQueueElement and -therefore causes unbounded memory allocation controlled by the guest. - -Exit with an error if the guest provides more requests than the -virtqueue size permits. This bounds memory allocation and makes the -buggy guest visible to the user. - -Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/virtio.c b/hw/virtio.c -index c26feff..42897bf 100644 ---- a/hw/virtio.c -+++ b/hw/virtio.c -@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) - /* When we start there are none of either input nor output. */ - elem->out_num = elem->in_num = 0; - -+ if (vq->inuse >= vq->vring.num) { -+ fprintf(stderr, "Virtqueue size exceeded"); -+ exit(1); -+ } -+ - i = head = virtqueue_get_head(vq, vq->last_avail_idx++); - do { - struct iovec *sg; --- -2.1.4 - |