]> git.proxmox.com Git - pve-qemu-kvm.git/blobdiff - debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
projects / pve-qemu-kvm.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
update to qemu-2.9.0-rc2
[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
diff --git a/debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch b/debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
deleted file mode 100644 (file)
index d4a133a..0000000
--- a/debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From a8ceb006190b9072b0b9866ec5a07bd6de4eca6d Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 6 Sep 2016 23:23:17 +0530
-Subject: [PATCH 5/6] scsi: pvscsi: avoid infinite loop while building SG list
-
-In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
-long time or go into an infinite loop due to two different bugs:
-
-1) the request descriptor data length is defined to be 64 bit. While
-building SG list from a request descriptor, it gets truncated to 32bit
-in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
-situation for large 'dataLen' values, when data_length is cast to uint32_t
-and chunk_size becomes always zero.  Fix this by removing the incorrect
-cast.
-
-2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
-element has a zero length.  Get out of the loop early when this happens,
-by introducing an upper limit on the number of SG list elements.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/scsi/vmw_pvscsi.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 22f872c..e43e0a4 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -40,6 +40,8 @@
- #define PVSCSI_MAX_DEVS                   (64)
- #define PVSCSI_MSIX_NUM_VECTORS           (1)
-+#define PVSCSI_MAX_SG_ELEM                2048
-+
- #define PVSCSI_MAX_CMD_DATA_WORDS \
-     (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
-@@ -629,17 +631,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
- static void
- pvscsi_convert_sglist(PVSCSIRequest *r)
- {
--    int chunk_size;
-+    uint32_t chunk_size, elmcnt = 0;
-     uint64_t data_length = r->req.dataLen;
-     PVSCSISGState sg = r->sg;
--    while (data_length) {
--        while (!sg.resid) {
-+    while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
-+        while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
-             pvscsi_get_next_sg_elem(&sg);
-             trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
-                                         r->sg.resid);
-         }
--        assert(data_length > 0);
--        chunk_size = MIN((unsigned) data_length, sg.resid);
-+        chunk_size = MIN(data_length, sg.resid);
-         if (chunk_size) {
-             qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
-         }
--- 
-2.1.4
-
old QEMU for PVE