debian/patches/extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch

   1 From 3f8bf5846151f173361966cb4869ab5a1306ad37 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Wed, 27 Jul 2016 21:07:56 +0530
   4 Subject: [PATCH] virtio: check vring descriptor buffer length
   5
   6 virtio back end uses set of buffers to facilitate I/O operations.
   7 An infinite loop unfolds in virtqueue_pop() if a buffer was
   8 of zero size. Add check to avoid it.
   9
  10 Reported-by: Li Qiang <liqiang6-s@360.cn>
  11 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  12 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
  13 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
  14 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
  15 ---
  16  hw/virtio/virtio.c | 5 +++++
  17  1 file changed, 5 insertions(+)
  18
  19 diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
  20 index 30ede3d..8de896c 100644
  21 --- a/hw/virtio/virtio.c
  22 +++ b/hw/virtio/virtio.c
  23 @@ -457,6 +457,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
  24      unsigned num_sg = *p_num_sg;
  25      assert(num_sg <= max_num_sg);
  26
  27 +    if (!sz) {
  28 +        error_report("virtio: zero sized buffers are not allowed");
  29 +        exit(1);
  30 +    }
  31 +
  32      while (sz) {
  33          hwaddr len = sz;
  34
  35 --
  36 2.1.4
  37