[pve-qemu-kvm.git] / debian / patches / CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch

From d9a3b33d2c9f996537b7f1d0246dee2d0120cefb Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 19 Nov 2015 15:14:07 +0200
Subject: [PATCH] acpi: fix buffer overrun on migration

ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
ICH9_PMIO_GPE0_LEN bytes are migrated.

As a quick work-around, allocate twice the memory.
We'll probably want to tweak code to avoid
migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
but that is a bit trickier to do without breaking
migration compatibility.

Tested-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/acpi/core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index fe6215a..21e113d 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -625,8 +625,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar)
 void acpi_gpe_init(ACPIREGS *ar, uint8_t len)
 {
     ar->gpe.len = len;
-    ar->gpe.sts = g_malloc0(len / 2);
-    ar->gpe.en = g_malloc0(len / 2);
+    /* Only first len / 2 bytes are ever used,
+     * but the caller in ich9.c migrates full len bytes.
+     * TODO: fix ich9.c and drop the extra allocation.
+     */
+    ar->gpe.sts = g_malloc0(len);
+    ar->gpe.en = g_malloc0(len);
 }
 
 void acpi_gpe_reset(ACPIREGS *ar)
-- 
2.1.4
Commit	Line	Data
1c771352 WB	1	From d9a3b33d2c9f996537b7f1d0246dee2d0120cefb Mon Sep 17 00:00:00 2001
	2	From: "Michael S. Tsirkin" <mst@redhat.com>
	3	Date: Thu, 19 Nov 2015 15:14:07 +0200
	4	Subject: [PATCH] acpi: fix buffer overrun on migration
	5
	6	ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
	7	ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
	8	ICH9_PMIO_GPE0_LEN bytes are migrated.
	9
	10	As a quick work-around, allocate twice the memory.
	11	We'll probably want to tweak code to avoid
	12	migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
	13	but that is a bit trickier to do without breaking
	14	migration compatibility.
	15
	16	Tested-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
	17	Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
	18	Cc: qemu-stable@nongnu.org
	19	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
	20	---
	21	hw/acpi/core.c \| 8 ++++++--
	22	1 file changed, 6 insertions(+), 2 deletions(-)
	23
	24	diff --git a/hw/acpi/core.c b/hw/acpi/core.c
	25	index fe6215a..21e113d 100644
	26	--- a/hw/acpi/core.c
	27	+++ b/hw/acpi/core.c
	28	@@ -625,8 +625,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar)
	29	void acpi_gpe_init(ACPIREGS *ar, uint8_t len)
	30	{
	31	ar->gpe.len = len;
	32	- ar->gpe.sts = g_malloc0(len / 2);
	33	- ar->gpe.en = g_malloc0(len / 2);
	34	+ /* Only first len / 2 bytes are ever used,
	35	+ * but the caller in ich9.c migrates full len bytes.
	36	+ * TODO: fix ich9.c and drop the extra allocation.
	37	+ */
	38	+ ar->gpe.sts = g_malloc0(len);
	39	+ ar->gpe.en = g_malloc0(len);
	40	}
	41
	42	void acpi_gpe_reset(ACPIREGS *ar)
	43	--
	44	2.1.4
	45