File CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-le... of Package xen.11319

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch of Package xen.11319

References: bsc#959386 CVE-2015-8568

From 3ef66b01874fcc2fe3bfc73d2b61ee3a5b29fdb6 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <address@hidden>
Date: Tue, 15 Dec 2015 12:17:28 +0530
Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device

Vmxnet3 device emulator does not check if the device is active
before activating it, also it did not free the transmit & receive
buffers while deactivating the device, thus resulting in memory
leakage on the host. This patch fixes both these issues to avoid
host memory leakage.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/vmxnet3.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)

Index: xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
===================================================================
--- xen-4.4.3-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
+++ xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
@@ -1134,8 +1134,13 @@ static void vmxnet3_reset_mac(VMXNET3Sta
 
 static void vmxnet3_deactivate_device(VMXNET3State *s)
 {
-    VMW_CBPRN("Deactivating vmxnet3...");
-    s->device_active = false;
+    if (s->device_active) {
+        VMW_CBPRN("Deactivating vmxnet3...");
+        vmxnet_tx_pkt_reset(s->tx_pkt);
+        vmxnet_tx_pkt_uninit(s->tx_pkt);
+        vmxnet_rx_pkt_uninit(s->rx_pkt);
+        s->device_active = false;
+    }
 }
 
 static void vmxnet3_reset(VMXNET3State *s)
@@ -1144,7 +1149,6 @@ static void vmxnet3_reset(VMXNET3State *
 
     vmxnet3_deactivate_device(s);
     vmxnet3_reset_interrupt_states(s);
-    vmxnet_tx_pkt_reset(s->tx_pkt);
     s->drv_shmem = 0;
     s->tx_sop = true;
     s->skip_current_tx_pkt = false;
@@ -1361,6 +1365,12 @@ static void vmxnet3_activate_device(VMXN
         return;
     }
 
+    /* Verify if device is active */
+    if (s->device_active) {
+        VMW_CFPRN("Vmxnet3 device is active");
+        return;
+    }
+
     vmxnet3_adjust_by_guest_type(s);
     vmxnet3_update_features(s);
     vmxnet3_update_pm_state(s);
@@ -1554,7 +1564,7 @@ static void vmxnet3_handle_command(VMXNE
         break;
 
     case VMXNET3_CMD_QUIESCE_DEV:
-        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
+        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
         vmxnet3_deactivate_device(s);
         break;
 
@@ -1659,7 +1669,7 @@ vmxnet3_io_bar1_write(void *opaque,
          * shared address only after we get the high part
          */
         if (0 == val) {
-            s->device_active = false;
+            vmxnet3_deactivate_device(s);
         }
         s->temp_shared_guest_driver_memory = val;
         s->drv_shmem = 0;
@@ -1939,9 +1949,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VM
 static void vmxnet3_net_uninit(VMXNET3State *s)
 {
     g_free(s->mcast_list);
-    vmxnet_tx_pkt_reset(s->tx_pkt);
-    vmxnet_tx_pkt_uninit(s->tx_pkt);
-    vmxnet_rx_pkt_uninit(s->rx_pkt);
+    vmxnet3_deactivate_device(s);
     qemu_del_nic(s->nic);
 }

Places

File CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch of Package xen.11319

Places