Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
xen.10696
CVE-2018-18438-qemuu-007-integer-overflow-in-cc...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-18438-qemuu-007-integer-overflow-in-ccid_card_vscard_read-allows-memory-corruption.patch of Package xen.10696
References: bsc#1112188 CVE-2018-18438 The number of bytes can not be negative nor zero. Fixed 2 format string: - hw/char/spapr_vty.c - hw/usb/ccid-card-passthru.c Suggested-by: Paolo Bonzini <address@hidden> Signed-off-by: Philippe Mathieu-Daudé <address@hidden> Acked-by: Alberto Garcia <address@hidden> --- backends/rng-egd.c | 2 +- chardev/char-mux.c | 2 +- gdbstub.c | 2 +- hw/arm/pxa2xx.c | 2 +- hw/arm/strongarm.c | 3 ++- hw/char/bcm2835_aux.c | 2 +- hw/char/cadence_uart.c | 2 +- hw/char/cmsdk-apb-uart.c | 2 +- hw/char/digic-uart.c | 2 +- hw/char/escc.c | 2 +- hw/char/etraxfs_ser.c | 2 +- hw/char/exynos4210_uart.c | 3 ++- hw/char/grlib_apbuart.c | 2 +- hw/char/imx_serial.c | 2 +- hw/char/ipoctal232.c | 2 +- hw/char/lm32_juart.c | 2 +- hw/char/lm32_uart.c | 2 +- hw/char/mcf_uart.c | 2 +- hw/char/milkymist-uart.c | 2 +- hw/char/pl011.c | 2 +- hw/char/sclpconsole-lm.c | 2 +- hw/char/sclpconsole.c | 2 +- hw/char/serial.c | 4 ++-- hw/char/sh_serial.c | 2 +- hw/char/spapr_vty.c | 4 ++-- hw/char/stm32f2xx_usart.c | 3 ++- hw/char/terminal3270.c | 2 +- hw/char/virtio-console.c | 2 +- hw/char/xen_console.c | 2 +- hw/char/xilinx_uartlite.c | 2 +- hw/ipmi/ipmi_bmc_extern.c | 2 +- hw/misc/ivshmem.c | 4 ++-- hw/riscv/riscv_htif.c | 2 +- hw/riscv/sifive_uart.c | 2 +- hw/usb/ccid-card-passthru.c | 4 ++-- hw/usb/dev-serial.c | 2 +- hw/usb/redirect.c | 2 +- include/qemu/main-loop.h | 2 +- monitor.c | 4 ++-- net/colo-compare.c | 4 ++-- net/filter-mirror.c | 2 +- net/slirp.c | 2 +- qtest.c | 2 +- target/xtensa/xtensa-semi.c | 2 +- 44 files changed, 53 insertions(+), 50 deletions(-) Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/qemu-char.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/qemu-char.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/qemu-char.c @@ -426,7 +426,7 @@ static int mux_chr_can_read(void *opaque return 0; } -static void mux_chr_read(void *opaque, const uint8_t *buf, int size) +static void mux_chr_read(void *opaque, const uint8_t *buf, size_t size) { CharDriverState *chr = opaque; MuxDriver *d = chr->opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/grlib_apbuart.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/grlib_apbuart.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/grlib_apbuart.c @@ -136,7 +136,7 @@ static int grlib_apbuart_can_receive(voi return FIFO_LENGTH - uart->len; } -static void grlib_apbuart_receive(void *opaque, const uint8_t *buf, int size) +static void grlib_apbuart_receive(void *opaque, const uint8_t *buf, size_t size) { UART *uart = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/imx_serial.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/imx_serial.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/imx_serial.c @@ -366,7 +366,7 @@ static void imx_put_data(void *opaque, u imx_update(s); } -static void imx_receive(void *opaque, const uint8_t *buf, int size) +static void imx_receive(void *opaque, const uint8_t *buf, size_t size) { imx_put_data(opaque, *buf); } Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/ipoctal232.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/ipoctal232.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/ipoctal232.c @@ -472,7 +472,7 @@ static int hostdev_can_receive(void *opa return ch->rx_enabled ? available_bytes : 0; } -static void hostdev_receive(void *opaque, const uint8_t *buf, int size) +static void hostdev_receive(void *opaque, const uint8_t *buf, size_t size) { SCC2698Channel *ch = opaque; IPOctalState *dev = ch->ipoctal; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/lm32_juart.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/lm32_juart.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/lm32_juart.c @@ -87,7 +87,7 @@ void lm32_juart_set_jrx(DeviceState *d, s->jrx &= ~JRX_FULL; } -static void juart_rx(void *opaque, const uint8_t *buf, int size) +static void juart_rx(void *opaque, const uint8_t *buf, size_t size) { LM32JuartState *s = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/lm32_uart.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/lm32_uart.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/lm32_uart.c @@ -210,7 +210,7 @@ static const MemoryRegionOps uart_ops = }, }; -static void uart_rx(void *opaque, const uint8_t *buf, int size) +static void uart_rx(void *opaque, const uint8_t *buf, size_t size) { LM32UartState *s = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/mcf_uart.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/mcf_uart.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/mcf_uart.c @@ -265,7 +265,7 @@ static int mcf_uart_can_receive(void *op return s->rx_enabled && (s->sr & MCF_UART_FFULL) == 0; } -static void mcf_uart_receive(void *opaque, const uint8_t *buf, int size) +static void mcf_uart_receive(void *opaque, const uint8_t *buf, size_t size) { mcf_uart_state *s = (mcf_uart_state *)opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/milkymist-uart.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/milkymist-uart.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/milkymist-uart.c @@ -159,7 +159,7 @@ static const MemoryRegionOps uart_mmio_o .endianness = DEVICE_NATIVE_ENDIAN, }; -static void uart_rx(void *opaque, const uint8_t *buf, int size) +static void uart_rx(void *opaque, const uint8_t *buf, size_t size) { MilkymistUartState *s = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/pl011.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/pl011.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/pl011.c @@ -230,7 +230,7 @@ static void pl011_put_fifo(void *opaque, } } -static void pl011_receive(void *opaque, const uint8_t *buf, int size) +static void pl011_receive(void *opaque, const uint8_t *buf, size_t size) { pl011_put_fifo(opaque, *buf); } Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/sclpconsole-lm.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/sclpconsole-lm.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/sclpconsole-lm.c @@ -67,7 +67,7 @@ static int chr_can_read(void *opaque) return 0; } -static void chr_read(void *opaque, const uint8_t *buf, int size) +static void chr_read(void *opaque, const uint8_t *buf, size_t size) { SCLPConsoleLM *scon = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/sclpconsole.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/sclpconsole.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/sclpconsole.c @@ -49,7 +49,7 @@ static int chr_can_read(void *opaque) } /* Send data from a char device over to the guest */ -static void chr_read(void *opaque, const uint8_t *buf, int size) +static void chr_read(void *opaque, const uint8_t *buf, size_t size) { SCLPConsole *scon = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/serial.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/serial.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/serial.c @@ -103,7 +103,7 @@ do { fprintf(stderr, "serial: " fmt , ## do {} while (0) #endif -static void serial_receive1(void *opaque, const uint8_t *buf, int size); +static void serial_receive1(void *opaque, const uint8_t *buf, size_t size); static inline void recv_fifo_put(SerialState *s, uint8_t chr) { @@ -546,7 +546,7 @@ static int serial_can_receive1(void *opa return serial_can_receive(s); } -static void serial_receive1(void *opaque, const uint8_t *buf, int size) +static void serial_receive1(void *opaque, const uint8_t *buf, size_t size) { SerialState *s = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/sh_serial.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/sh_serial.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/sh_serial.c @@ -311,7 +311,7 @@ static int sh_serial_can_receive1(void * return sh_serial_can_receive(s); } -static void sh_serial_receive1(void *opaque, const uint8_t *buf, int size) +static void sh_serial_receive1(void *opaque, const uint8_t *buf, size_t size) { sh_serial_state *s = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/spapr_vty.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/spapr_vty.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/spapr_vty.c @@ -23,7 +23,7 @@ static int vty_can_receive(void *opaque) return (dev->in - dev->out) < VTERM_BUFSIZE; } -static void vty_receive(void *opaque, const uint8_t *buf, int size) +static void vty_receive(void *opaque, const uint8_t *buf, size_t size) { VIOsPAPRVTYDevice *dev = VIO_SPAPR_VTY_DEVICE(opaque); int i; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/virtio-console.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/virtio-console.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/virtio-console.c @@ -98,7 +98,7 @@ static int chr_can_read(void *opaque) } /* Send data from a char device over to the guest */ -static void chr_read(void *opaque, const uint8_t *buf, int size) +static void chr_read(void *opaque, const uint8_t *buf, size_t size) { VirtConsole *vcon = opaque; VirtIOSerialPort *port = VIRTIO_SERIAL_PORT(vcon); Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/xen_console.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/xen_console.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/xen_console.c @@ -127,7 +127,7 @@ static int xencons_can_receive(void *opa return ring_free_bytes(con); } -static void xencons_receive(void *opaque, const uint8_t *buf, int len) +static void xencons_receive(void *opaque, const uint8_t *buf, size_t len) { struct XenConsole *con = opaque; struct xencons_interface *intf = con->sring; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/xilinx_uartlite.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/char/xilinx_uartlite.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/char/xilinx_uartlite.c @@ -166,7 +166,7 @@ static const MemoryRegionOps uart_ops = } }; -static void uart_rx(void *opaque, const uint8_t *buf, int size) +static void uart_rx(void *opaque, const uint8_t *buf, size_t size) { XilinxUARTLite *s = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/ccid-card-passthru.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/ccid-card-passthru.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/ccid-card-passthru.c @@ -262,14 +262,14 @@ static void ccid_card_vscard_drop_connec card->vscard_in_pos = card->vscard_in_hdr = 0; } -static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, int size) +static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, size_t size) { PassthruState *card = opaque; VSCMsgHeader *hdr; if (card->vscard_in_pos + size > VSCARD_IN_SIZE) { error_report( - "no room for data: pos %d + size %d > %d. dropping connection.", + "no room for data: pos %d + size %zu > %d. dropping connection.", card->vscard_in_pos, size, VSCARD_IN_SIZE); ccid_card_vscard_drop_connection(card); return; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/dev-serial.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-serial.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/dev-serial.c @@ -420,7 +420,7 @@ static int usb_serial_can_read(void *opa return RECV_BUF - s->recv_used; } -static void usb_serial_read(void *opaque, const uint8_t *buf, int size) +static void usb_serial_read(void *opaque, const uint8_t *buf, size_t size) { USBSerialState *s = opaque; int first_size, start; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/redirect.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/redirect.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/redirect.c @@ -1206,7 +1206,7 @@ static int usbredir_chardev_can_read(voi return 1024 * 1024; } -static void usbredir_chardev_read(void *opaque, const uint8_t *buf, int size) +static void usbredir_chardev_read(void *opaque, const uint8_t *buf, size_t size) { USBRedirDevice *dev = opaque; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/include/qemu/main-loop.h =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/include/qemu/main-loop.h +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/include/qemu/main-loop.h @@ -168,7 +168,7 @@ void qemu_del_wait_object(HANDLE handle, /* async I/O support */ -typedef void IOReadHandler(void *opaque, const uint8_t *buf, int size); +typedef void IOReadHandler(void *opaque, const uint8_t *buf, size_t size); typedef int IOCanReadHandler(void *opaque); /** Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/monitor.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/monitor.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/monitor.c @@ -4838,7 +4838,7 @@ out: /** * monitor_control_read(): Read and handle QMP input */ -static void monitor_control_read(void *opaque, const uint8_t *buf, int size) +static void monitor_control_read(void *opaque, const uint8_t *buf, size_t size) { Monitor *old_mon = cur_mon; @@ -4849,7 +4849,7 @@ static void monitor_control_read(void *o cur_mon = old_mon; } -static void monitor_read(void *opaque, const uint8_t *buf, int size) +static void monitor_read(void *opaque, const uint8_t *buf, size_t size) { Monitor *old_mon = cur_mon; int i; Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/net/slirp.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/net/slirp.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/net/slirp.c @@ -590,7 +590,7 @@ static int guestfwd_can_read(void *opaqu return slirp_socket_can_recv(fwd->slirp, fwd->server, fwd->port); } -static void guestfwd_read(void *opaque, const uint8_t *buf, int size) +static void guestfwd_read(void *opaque, const uint8_t *buf, size_t size) { struct GuestFwd *fwd = opaque; slirp_socket_recv(fwd->slirp, fwd->server, fwd->port, buf, size); Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/qtest.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/qtest.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/qtest.c @@ -451,7 +451,7 @@ static void qtest_process_inbuf(CharDriv } } -static void qtest_read(void *opaque, const uint8_t *buf, int size) +static void qtest_read(void *opaque, const uint8_t *buf, size_t size) { CharDriverState *chr = opaque;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor