guix/gnu/packages/patches/qemu-CVE-2015-8613.patch
Mark H Weaver fd9a5b0fc3 gnu: qemu: Update to 2.5.0; add fixes for security flaws.
* gnu/packages/patches/qemu-CVE-2015-6855.patch: Delete file.
* gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch,
  gnu/packages/patches/qemu-CVE-2015-8558.patch,
  gnu/packages/patches/qemu-CVE-2015-8567.patch,
  gnu/packages/patches/qemu-CVE-2015-8613.patch,
  gnu/packages/patches/qemu-CVE-2015-8701.patch,
  gnu/packages/patches/qemu-CVE-2015-8743.patch,
  gnu/packages/patches/qemu-CVE-2016-1568.patch,
  gnu/packages/patches/qemu-CVE-2016-1922.patch: New files.
* gnu-system.am (dist_patch_DATA): Remove 'qemu-CVE-2015-6855.patch'; add the
  new patches.
* gnu/packages/qemu.scm (qemu): Update to 2.5.0.
  [source]: Remove old patches and add new ones.
  [arguments]: Add 'disable-test-qga' phase.
  (%glib-memory-vtable-patch, %glib-duplicate-test-patch): Remove variables.
2016-02-03 00:05:22 -05:00

36 lines
1.2 KiB
Diff

From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001
From: P J P <ppandit@redhat.com>
Date: Mon, 21 Dec 2015 15:13:13 +0530
Subject: [PATCH] scsi: initialise info object with appropriate size
While processing controller 'CTRL_GET_INFO' command, the routine
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
appropriate size to null initialise it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: P J P <ppandit@redhat.com>
---
hw/scsi/megasas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index d7dc667..576f56c 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
BusChild *kid;
int num_pd_disks = 0;
- memset(&info, 0x0, cmd->iov_size);
+ memset(&info, 0x0, dcmd_size);
if (cmd->iov_size < dcmd_size) {
trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
dcmd_size);
--
2.6.3