summaryrefslogtreecommitdiff
path: root/system/xen/xsa/xsa199-qemut.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/xen/xsa/xsa199-qemut.patch')
-rw-r--r--system/xen/xsa/xsa199-qemut.patch89
1 files changed, 0 insertions, 89 deletions
diff --git a/system/xen/xsa/xsa199-qemut.patch b/system/xen/xsa/xsa199-qemut.patch
deleted file mode 100644
index 50a7eb6c92..0000000000
--- a/system/xen/xsa/xsa199-qemut.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Mon, 14 Nov 2016 17:19:46 +0000
-Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
- addresses
-
-On x86, ioport addresses are 16-bit. That these functions take 32-bit
-arguments is a mistake. Changing the argument type to 16-bit will
-discard the top bits of any erroneous values from elsewhere in qemu.
-
-Also, check just before use that the value is in range. (This turns
-an ill-advised change to MAX_IOPORTS into a possible guest crash
-rather than a privilege escalation vulnerability.)
-
-And, in the Xen ioreq processor, clamp incoming ioport addresses to
-16-bit values. Xen will never write >16-bit values but the guest may
-have access to the ioreq ring. We want to defend the rest of the qemu
-code from wrong values.
-
-This is XSA-199.
-
-Reported-by: yanghongke <yanghongke@huawei.com>
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
----
- i386-dm/helper2.c | 2 ++
- vl.c | 9 +++++++--
- 2 files changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
-index 2706f2e..5d276bb 100644
---- a/i386-dm/helper2.c
-+++ b/i386-dm/helper2.c
-@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req)
- {
- uint32_t i;
-
-+ req->addr &= 0x0ffffU;
-+
- if (req->dir == IOREQ_READ) {
- if (!req->data_is_ptr) {
- req->data = do_inp(env, req->addr, req->size);
-diff --git a/vl.c b/vl.c
-index f9c4d7e..c3c5d63 100644
---- a/vl.c
-+++ b/vl.c
-@@ -52,6 +52,7 @@
-
- #include <xen/hvm/hvm_info_table.h>
-
-+#include <assert.h>
- #include <unistd.h>
- #include <fcntl.h>
- #include <signal.h>
-@@ -290,26 +291,30 @@ PicState2 *isa_pic;
- static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
- static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
-
--static uint32_t ioport_read(int index, uint32_t address)
-+static uint32_t ioport_read(int index, uint16_t address)
- {
- static IOPortReadFunc *default_func[3] = {
- default_ioport_readb,
- default_ioport_readw,
- default_ioport_readl
- };
-+ if (address >= MAX_IOPORTS)
-+ abort();
- IOPortReadFunc *func = ioport_read_table[index][address];
- if (!func)
- func = default_func[index];
- return func(ioport_opaque[address], address);
- }
-
--static void ioport_write(int index, uint32_t address, uint32_t data)
-+static void ioport_write(int index, uint16_t address, uint32_t data)
- {
- static IOPortWriteFunc *default_func[3] = {
- default_ioport_writeb,
- default_ioport_writew,
- default_ioport_writel
- };
-+ if (address >= MAX_IOPORTS)
-+ abort();
- IOPortWriteFunc *func = ioport_write_table[index][address];
- if (!func)
- func = default_func[index];
---
-2.1.4
-