--- /dev/null
+From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 12 Oct 2016 14:40:55 +0530
+Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size
+
+Rocker network switch emulator has test registers to help debug
+DMA operations. While testing host DMA access, a buffer address
+is written to register 'TEST_DMA_ADDR' and its size is written to
+register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
+test, if DMA buffer size was greater than 'INT_MAX', it leads to
+an invalid buffer access. Limit the DMA buffer size to avoid it.
+
+Reported-by: Huawei PSIRT <psirt@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/net/rocker/rocker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
+index 30f2ce4..e9d215a 100644
+--- a/hw/net/rocker/rocker.c
++++ b/hw/net/rocker/rocker.c
+@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
+ rocker_msix_irq(r, val);
+ break;
+ case ROCKER_TEST_DMA_SIZE:
+- r->test_dma_size = val;
++ r->test_dma_size = val & 0xFFFF;
+ break;
+ case ROCKER_TEST_DMA_ADDR + 4:
+ r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
+--
+2.1.4
+
--- /dev/null
+From 7e0ebfd13e55a706396197437f375692bbf75d15 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 12 Oct 2016 11:28:08 +0530
+Subject: [PATCH 2/2] char: serial: check divider value against baud base
+
+16550A UART device uses an oscillator to generate frequencies
+(baud base), which decide communication speed. This speed could
+be changed by dividing it by a divider. If the divider is
+greater than the baud base, speed is set to zero, leading to a
+divide by zero error. Add check to avoid it.
+
+Reported-by: Huawei PSIRT <psirt@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/char/serial.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index 3442f47..eec72b7 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
+ int speed, parity, data_bits, stop_bits, frame_size;
+ QEMUSerialSetParams ssp;
+
+- if (s->divider == 0)
++ if (s->divider == 0 || s->divider > s->baudbase) {
+ return;
++ }
+
+ /* Start bit. */
+ frame_size = 1;
+--
+2.1.4
+
extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
+extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
+extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
projects / pve-qemu-kvm.git / commitdiff