debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch

   1 From f1a42b805bb9290e7c03358ce803c311f5aa8a69 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Fri, 29 Jan 2016 18:30:34 +0530
   4 Subject: [PATCH 1/2] usb: ehci: add capability mmio write function
   5
   6 USB Ehci emulation supports host controller capability registers.
   7 But its mmio '.write' function was missing, which lead to a null
   8 pointer dereference issue. Add a do nothing 'ehci_caps_write'
   9 definition to avoid it; Do nothing because capability registers
  10 are Read Only(RO).
  11
  12 Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
  13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  14 ---
  15  hw/usb/hcd-ehci.c | 6 ++++++
  16  1 file changed, 6 insertions(+)
  17
  18 diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
  19 index 4e2161b..5f726a9 100644
  20 --- a/hw/usb/hcd-ehci.c
  21 +++ b/hw/usb/hcd-ehci.c
  22 @@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
  23      return s->caps[addr];
  24  }
  25
  26 +static void ehci_caps_write(void *ptr, hwaddr addr,
  27 +                             uint64_t val, unsigned size)
  28 +{
  29 +}
  30 +
  31  static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
  32                                  unsigned size)
  33  {
  34 @@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaque)
  35
  36  static const MemoryRegionOps ehci_mmio_caps_ops = {
  37      .read = ehci_caps_read,
  38 +    .write = ehci_caps_write,
  39      .valid.min_access_size = 1,
  40      .valid.max_access_size = 4,
  41      .impl.min_access_size = 1,
  42 --
  43 2.1.4
  44