File CVE-2017-11334-qemuu-exec-oob-access-during-dma-operation-allowing-for-DoS.patch of Package xen.6121

Subject: exec: use qemu_ram_ptr_length to access guest ram
From: Prasad J Pandit pjp@fedoraproject.org Wed Jul 12 18:08:40 2017 +0530
Date: Fri Jul 14 11:04:34 2017 +0200:
Git: 04bf2526ce87f21b32c9acba1c5518708c243ad0

When accessing guest's ram block during DMA operation, use
'qemu_ram_ptr_length' to get ram block pointer. It ensures
that DMA operation of given length is possible; And avoids
any OOB memory access situations.

Reported-by: Alex <broscutamaker@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170712123840.29328-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/exec.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/exec.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/exec.c
@@ -2004,7 +2004,7 @@ bool address_space_rw(AddressSpace *as,
             } else {
                 addr1 += memory_region_get_ram_addr(mr);
                 /* RAM case */
-                ptr = qemu_get_ram_ptr(addr1);
+                ptr = qemu_ram_ptr_length(addr1, &l);
                 memcpy(ptr, buf, l);
                 invalidate_and_set_dirty(addr1, l);
             }
@@ -2038,7 +2038,7 @@ bool address_space_rw(AddressSpace *as,
                 }
             } else {
                 /* RAM case */
-                ptr = qemu_get_ram_ptr(mr->ram_addr + addr1);
+                ptr = qemu_ram_ptr_length(mr->ram_addr + addr1, &l);
                 memcpy(buf, ptr, l);
             }
         }