File CVE-2019-12067-qemuu-ide-ahci-add-check-to-avoid-null-dereference.patch of Package xen.14030

References: bsc#1145652 CVE-2019-12067

AHCI emulator while committing DMA buffer in ahci_commit_buf()
may do a NULL dereference if the command header 'ad->cur_cmd'
is null. Add check to avoid it.

Reported-by: Bugs SysSec <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/ide/ahci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Index: xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/ide/ahci.c
===================================================================
--- xen-4.5.3-testing.orig/tools/qemu-xen-dir-remote/hw/ide/ahci.c
+++ xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/ide/ahci.c
@@ -1040,7 +1040,9 @@ static int ahci_start_transfer(IDEDMA *d
     }
 
     /* update number of transferred bytes */
-    ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + size);
+    if (ad->cur_cmd) {
+        ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + size);
+    }
 
 out:
     /* declare that we processed everything */
@@ -1107,7 +1109,9 @@ static int ahci_dma_rw_buf(IDEDMA *dma,
     qemu_sglist_destroy(&s->sg);
 
     /* update number of transferred bytes */
-    ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l);
+    if (ad->cur_cmd) {
+        ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l);
+    }
     s->io_buffer_index += l;
     s->io_buffer_offset += l;

Places

File CVE-2019-12067-qemuu-ide-ahci-add-check-to-avoid-null-dereference.patch of Package xen.14030

Places