Tree - rpms/qemu - src.fedoraproject.org

Blob History Raw

		808a2e2	`From: Li Qiang <liqiang6-s@360.cn>`
		808a2e2	`Date: Mon, 8 Aug 2016 18:08:31 +0530`
		808a2e2	`Subject: [PATCH] net: vmxnet3: check for device_active before write`
		808a2e2
		808a2e2	`Vmxnet3 device emulator does not check if the device is active,`
		808a2e2	`before using it for write. It leads to a use after free issue,`
		808a2e2	`if the vmxnet3_io_bar0_write routine is called after the device is`
		808a2e2	`deactivated. Add check to avoid it.`
		808a2e2
		808a2e2	`Reported-by: Li Qiang <liqiang6-s@360.cn>`
		808a2e2	`Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>`
		808a2e2	`Acked-by: Dmitry Fleytman <dmitry@daynix.com>`
		808a2e2	`Signed-off-by: Jason Wang <jasowang@redhat.com>`
		808a2e2	`(cherry picked from commit 6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8)`
		808a2e2	`---`
		808a2e2	`hw/net/vmxnet3.c \| 4 ++++`
		808a2e2	`1 file changed, 4 insertions(+)`
		808a2e2
		808a2e2	`diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c`
		808a2e2	`index 20f26b7..a6ce16e 100644`
		808a2e2	`--- a/hw/net/vmxnet3.c`
		808a2e2	`+++ b/hw/net/vmxnet3.c`
		808a2e2	`@@ -1158,6 +1158,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,`
		808a2e2	`{`
		808a2e2	`VMXNET3State *s = opaque;`
		808a2e2
		808a2e2	`+ if (!s->device_active) {`
		808a2e2	`+ return;`
		808a2e2	`+ }`
		808a2e2	`+`
		808a2e2	`if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,`
		808a2e2	`VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {`
		808a2e2	`int tx_queue_idx =`