File CVE-2016-1922-qemuu-i386-null-pointer-dereferen... of Package xen.5853

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch of Package xen.5853

References: bsc#962321 CVE-2016-1922

Subject: i386: avoid null pointer dereference
From: P J P ppandit@redhat.com Fri Dec 18 11:35:07 2015 +0530
Date: Fri Jan 15 18:58:01 2016 +0100:
Git: 4c1396cb576c9b14425558b73de1584c7a9735d7

Hello,

A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
occurs while doing I/O port write operations via hmp interface. In that,
'current_cpu' remains null as it is not called from cpu_exec loop, which
results in the said issue.

Below is a proposed (tested)patch to fix this issue; Does it look okay?

===
From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 18 Dec 2015 11:16:07 +0530
Subject: [PATCH] i386: avoid null pointer dereference

When I/O port write operation is called from hmp interface,
'current_cpu' remains null, as it is not called from cpu_exec()
loop. This leads to a null pointer dereference in vapic_write
routine. Add check to avoid it.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: P J P <ppandit@redhat.com>

Index: xen-4.5.2-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
===================================================================
--- xen-4.5.2-testing.orig/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
+++ xen-4.5.2-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
@@ -637,13 +637,18 @@ static int vapic_prepare(VAPICROMState *
 static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
                         unsigned int size)
 {
-    CPUState *cs = current_cpu;
-    X86CPU *cpu = X86_CPU(cs);
-    CPUX86State *env = &cpu->env;
-    hwaddr rom_paddr;
     VAPICROMState *s = opaque;
+    X86CPU *cpu;
+    CPUX86State *env;
+    hwaddr rom_paddr;
+
+    if (!current_cpu) {
+        return;
+    }
 
-    cpu_synchronize_state(cs);
+    cpu_synchronize_state(current_cpu);
+    cpu = X86_CPU(current_cpu);
+    env = &cpu->env;
 
     /*
      * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.

Places

File CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch of Package xen.5853

Places