From: @kuhnchen18 Reviewed-by: @imxcc Signed-off-by: @imxcc
This commit is contained in:
openeuler-ci-bot
Gitee
commit
2d6f58e3d2
39
hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
Normal file
39
hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From 9997745aade411cc5fe27bb3c314f24698c7e20a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Qiang Ning <ningqiang1@huawei.com>
|
||||||
|
Date: Mon, 12 Jul 2021 17:30:45 +0800
|
||||||
|
Subject: [PATCH] hw/net/rocker_of_dpa: fix double free bug of rocker device
|
||||||
|
|
||||||
|
The of_dpa_cmd_add_l2_flood function of the rocker device
|
||||||
|
releases the memory of group->l2_flood.group_ids before
|
||||||
|
applying for new memory. If the l2_group configured by
|
||||||
|
the guest does not match the input group->l2_flood.group_ids,
|
||||||
|
the err_out branch is redirected to release the memory of the
|
||||||
|
group->l2_flood.group_ids branch. The pointer is not set to
|
||||||
|
NULL after the memory is freed. When the guest accesses the
|
||||||
|
of_dpa_cmd_add_l2_flood function again, the memory of
|
||||||
|
group->l2_flood.group_ids is released again. As a result,
|
||||||
|
the memory is double free.
|
||||||
|
|
||||||
|
Fix that by setting group->l2_flood.group_ids to NULL after free.
|
||||||
|
|
||||||
|
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
|
||||||
|
Signed-off-by: Qiang Ning <ningqiang1@huawei.com>
|
||||||
|
---
|
||||||
|
hw/net/rocker/rocker_of_dpa.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
|
||||||
|
index 8e347d1ee4..0c9de5f014 100644
|
||||||
|
--- a/hw/net/rocker/rocker_of_dpa.c
|
||||||
|
+++ b/hw/net/rocker/rocker_of_dpa.c
|
||||||
|
@@ -2070,6 +2070,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group,
|
||||||
|
err_out:
|
||||||
|
group->l2_flood.group_count = 0;
|
||||||
|
g_free(group->l2_flood.group_ids);
|
||||||
|
+ group->l2_flood.group_ids = NULL;
|
||||||
|
g_free(tlvs);
|
||||||
|
|
||||||
|
return err;
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 4.1.0
|
Version: 4.1.0
|
||||||
Release: 51
|
Release: 52
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
Summary: QEMU is a generic and open source machine emulator and virtualizer
|
Summary: QEMU is a generic and open source machine emulator and virtualizer
|
||||||
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
|
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
|
||||||
@ -321,6 +321,7 @@ Patch0308: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
|
|||||||
Patch0309: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
|
Patch0309: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
|
||||||
Patch0310: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
|
Patch0310: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
|
||||||
Patch0311: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
|
Patch0311: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
|
||||||
|
Patch0312: hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
|
||||||
|
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
@ -708,6 +709,9 @@ getent passwd qemu >/dev/null || \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 13 2021 Chen Qun <kuhn.chenqun@huawei.com>
|
||||||
|
- hw/net/rocker_of_dpa: fix double free bug of rocker device
|
||||||
|
|
||||||
* Mon Jun 21 2021 Chen Qun <kuhn.chenqun@huawei.com>
|
* Mon Jun 21 2021 Chen Qun <kuhn.chenqun@huawei.com>
|
||||||
- ide: ahci: add check to avoid null dereference (CVE-2019-12067)
|
- ide: ahci: add check to avoid null dereference (CVE-2019-12067)
|
||||||
- hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
|
- hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user