File 0072-usb-ehci-fix-memory-leak-in-ehci_pr.patch of Package qemu.4225

Overview Repositories Revisions Requests Users Attributes Meta

File 0072-usb-ehci-fix-memory-leak-in-ehci_pr.patch of Package qemu.4225

From 7e510dddf6ef01b762f8791bfe536a2d0aa87da1 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Sun, 18 Sep 2016 19:48:35 -0700
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd

While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list is not freed thus leading to a memory
leak issue. This patch avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
[BR: CVE-2016-7995 BSC#1003612]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/usb/hcd-ehci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 43a8f7abcc..92241bbad7 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
             if (off + len > 4096) {
                 /* transfer crosses page border */
                 if (pg == 6) {
+                    qemu_sglist_destroy(&ehci->isgl);
                     return -1;  /* avoid page pg + 1 */
                 }
                 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);

Places

File 0072-usb-ehci-fix-memory-leak-in-ehci_pr.patch of Package qemu.4225

Places