Fix CVE-2017-11334: https://bugzilla.redhat.com/show_bug.cgi?id=1471638 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11334 Patch copied from upstream source repository: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 From 04bf2526ce87f21b32c9acba1c5518708c243ad0 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Wed, 12 Jul 2017 18:08:40 +0530 Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram When accessing guest's ram block during DMA operation, use 'qemu_ram_ptr_length' to get ram block pointer. It ensures that DMA operation of given length is possible; And avoids any OOB memory access situations. Reported-by: Alex Signed-off-by: Prasad J Pandit Message-Id: <20170712123840.29328-1-ppandit@redhat.com> Signed-off-by: Paolo Bonzini --- exec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/exec.c b/exec.c index a083ff89ad..ad103ce483 100644 --- a/exec.c +++ b/exec.c @@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, } } else { /* RAM case */ - ptr = qemu_map_ram_ptr(mr->ram_block, addr1); + ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); memcpy(ptr, buf, l); invalidate_and_set_dirty(mr, addr1, l); } @@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, } } else { /* RAM case */ - ptr = qemu_map_ram_ptr(mr->ram_block, addr1); + ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); memcpy(buf, ptr, l); } -- 2.13.3