Overview

File CVE-2016-6836-qemuu-net-vmxnet3-information-leakage-in-vmxnet3_complete_packet.patch of Package xen.11298

References: bsc#994761 CVE-2016-6836

In Vmxnet3 device emulator while processing transmit(tx) queue,
when it reaches end of packet, it calls vmxnet3_complete_packet.
In that local 'txcq_descr' object is not initialised, which could
leak host memory bytes a guest.

Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/net/vmxnet3.c | 1 +
 1 file changed, 1 insertion(+)

Index: xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
===================================================================
--- xen-4.5.3-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
+++ xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
@@ -498,6 +498,7 @@ static void vmxnet3_complete_packet(VMXN
 
     VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
 
+    memset(&txcq_descr, 0, sizeof(txcq_descr));
     txcq_descr.txdIdx = tx_ridx;
     txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
openSUSE Build Service is sponsored by
Places