[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch

From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Oct 2016 14:40:55 +0530
Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size

Rocker network switch emulator has test registers to help debug
DMA operations. While testing host DMA access, a buffer address
is written to register 'TEST_DMA_ADDR' and its size is written to
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
test, if DMA buffer size was greater than 'INT_MAX', it leads to
an invalid buffer access. Limit the DMA buffer size to avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/rocker/rocker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index 30f2ce4..e9d215a 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
         rocker_msix_irq(r, val);
         break;
     case ROCKER_TEST_DMA_SIZE:
-        r->test_dma_size = val;
+        r->test_dma_size = val & 0xFFFF;
         break;
     case ROCKER_TEST_DMA_ADDR + 4:
         r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
-- 
2.1.4
Commit	Line	Data
282838af WB	1	From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Wed, 12 Oct 2016 14:40:55 +0530
	4	Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size
	5
	6	Rocker network switch emulator has test registers to help debug
	7	DMA operations. While testing host DMA access, a buffer address
	8	is written to register 'TEST_DMA_ADDR' and its size is written to
	9	register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
	10	test, if DMA buffer size was greater than 'INT_MAX', it leads to
	11	an invalid buffer access. Limit the DMA buffer size to avoid it.
	12
	13	Reported-by: Huawei PSIRT <psirt@huawei.com>
	14	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	15	---
	16	hw/net/rocker/rocker.c \| 2 +-
	17	1 file changed, 1 insertion(+), 1 deletion(-)
	18
	19	diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
	20	index 30f2ce4..e9d215a 100644
	21	--- a/hw/net/rocker/rocker.c
	22	+++ b/hw/net/rocker/rocker.c
	23	@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
	24	rocker_msix_irq(r, val);
	25	break;
	26	case ROCKER_TEST_DMA_SIZE:
	27	- r->test_dma_size = val;
	28	+ r->test_dma_size = val & 0xFFFF;
	29	break;
	30	case ROCKER_TEST_DMA_ADDR + 4:
	31	r->test_dma_addr = ((uint64_t)val) << 32 \| r->lower32;
	32	--
	33	2.1.4
	34