aboutsummaryrefslogtreecommitdiff
path: root/system/xen/xsa/xsa184-qemut-master.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/xen/xsa/xsa184-qemut-master.patch')
-rw-r--r--system/xen/xsa/xsa184-qemut-master.patch43
1 files changed, 0 insertions, 43 deletions
diff --git a/system/xen/xsa/xsa184-qemut-master.patch b/system/xen/xsa/xsa184-qemut-master.patch
deleted file mode 100644
index d15167f4ac6fd..0000000000000
--- a/system/xen/xsa/xsa184-qemut-master.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Tue, 26 Jul 2016 15:31:59 +0100
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size. This requires reusing
-vring descriptors in more than one request, which is incorrect but
-possible. Processing a request allocates a VirtQueueElement and
-therefore causes unbounded memory allocation controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits. This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- hw/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio.c b/hw/virtio.c
-index c26feff..42897bf 100644
---- a/hw/virtio.c
-+++ b/hw/virtio.c
-@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
- /* When we start there are none of either input nor output. */
- elem->out_num = elem->in_num = 0;
-
-+ if (vq->inuse >= vq->vring.num) {
-+ fprintf(stderr, "Virtqueue size exceeded");
-+ exit(1);
-+ }
-+
- i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
- do {
- struct iovec *sg;
---
-2.1.4
-