[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-2197-ahci-null-pointer.patch

From 867dcfc8c153c463090b972c2afc7b90700bab91 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 29 Jan 2016 01:18:50 +0530
Subject: [PATCH 2/2] ide: ahci: add check before calling dma_memory_unmap

When IDE AHCI emulation uses Frame Information Structures(FIS)
engine for data transfer, the mapped FIS buffer address is stored
in a static 'bounce.buffer'. When a request is made to map another
memory region, address_space_map() returns NULL because
'bounce.buffer' is in_use. It leads to a null pointer dereference
error while doing 'dma_memory_unmap'. Add a check to avoid it.

Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/ide/ahci.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index dd1912e..ea351fe 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
 
 static void ahci_unmap_fis_address(AHCIDevice *ad)
 {
-    dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
-                     DMA_DIRECTION_FROM_DEVICE, 256);
-    ad->res_fis = NULL;
+    if (ad->res_fis) {
+        dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
+                         DMA_DIRECTION_FROM_DEVICE, 256);
+        ad->res_fis = NULL;
+    }
 }
 
 static bool ahci_map_clb_address(AHCIDevice *ad)
@@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
 
 static void ahci_unmap_clb_address(AHCIDevice *ad)
 {
-    dma_memory_unmap(ad->hba->as, ad->lst, 1024,
-                     DMA_DIRECTION_FROM_DEVICE, 1024);
-    ad->lst = NULL;
+    if (ad->lst) {
+        dma_memory_unmap(ad->hba->as, ad->lst, 1024,
+                         DMA_DIRECTION_FROM_DEVICE, 1024);
+        ad->lst = NULL;
+    }
 }
 
 static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs)
-- 
2.1.4