X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=debian%2Fpatches%2Fold%2FCVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch;fp=debian%2Fpatches%2Fold%2FCVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch;h=0000000000000000000000000000000000000000;hb=e8d0924679a5d7a3acfc128a1140ffdef0269338;hp=b46ab4824870e712fff94ea74f1d36d2c98020d3;hpb=dcfd9c72bc5bb92f7715f7eb52e6610bc629a1c8;p=pve-qemu-kvm.git diff --git a/debian/patches/old/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch b/debian/patches/old/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch deleted file mode 100644 index b46ab48..0000000 --- a/debian/patches/old/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch +++ /dev/null @@ -1,45 +0,0 @@ -From d9a3b33d2c9f996537b7f1d0246dee2d0120cefb Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 19 Nov 2015 15:14:07 +0200 -Subject: [PATCH] acpi: fix buffer overrun on migration - -ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so -ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full -ICH9_PMIO_GPE0_LEN bytes are migrated. - -As a quick work-around, allocate twice the memory. -We'll probably want to tweak code to avoid -migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes, -but that is a bit trickier to do without breaking -migration compatibility. - -Tested-by: "Dr. David Alan Gilbert" -Reported-by: "Dr. David Alan Gilbert" -Cc: qemu-stable@nongnu.org -Signed-off-by: Michael S. Tsirkin ---- - hw/acpi/core.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/hw/acpi/core.c b/hw/acpi/core.c -index fe6215a..21e113d 100644 ---- a/hw/acpi/core.c -+++ b/hw/acpi/core.c -@@ -625,8 +625,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar) - void acpi_gpe_init(ACPIREGS *ar, uint8_t len) - { - ar->gpe.len = len; -- ar->gpe.sts = g_malloc0(len / 2); -- ar->gpe.en = g_malloc0(len / 2); -+ /* Only first len / 2 bytes are ever used, -+ * but the caller in ich9.c migrates full len bytes. -+ * TODO: fix ich9.c and drop the extra allocation. -+ */ -+ ar->gpe.sts = g_malloc0(len); -+ ar->gpe.en = g_malloc0(len); - } - - void acpi_gpe_reset(ACPIREGS *ar) --- -2.1.4 -