From 55304052861e5d2e1ebde8420f8f7fc956763ff9 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 1 Aug 2016 14:24:42 +0200
Subject: [PATCH] Fix CVE-2016-6490: virtio: check vring descriptor buffer
 length

---
 ...check-vring-descriptor-buffer-length.patch | 37 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 debian/patches/extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch

diff --git a/debian/patches/extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch b/debian/patches/extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch
new file mode 100644
index 0000000..d776e54
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch
@@ -0,0 +1,37 @@
+From 3f8bf5846151f173361966cb4869ab5a1306ad37 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 27 Jul 2016 21:07:56 +0530
+Subject: [PATCH] virtio: check vring descriptor buffer length
+
+virtio back end uses set of buffers to facilitate I/O operations.
+An infinite loop unfolds in virtqueue_pop() if a buffer was
+of zero size. Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 30ede3d..8de896c 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -457,6 +457,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
+     unsigned num_sg = *p_num_sg;
+     assert(num_sg <= max_num_sg);
+ 
++    if (!sz) {
++        error_report("virtio: zero sized buffers are not allowed");
++        exit(1);
++    }
++
+     while (sz) {
+         hwaddr len = sz;
+ 
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 6d18225..21cf2f0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -68,3 +68,4 @@ extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
 extra/0001-vga-add-sr_vbe-register-set.patch
 extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
 extra/0002-scsi-esp-fix-migration.patch
+extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch
-- 
2.39.2