[Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

2016-08-08 Thread chaojianhu
The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: chaojianhu Signed-off-by: chaojianhu --

[Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

2016-08-08 Thread chaojianhu
The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowd. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: chaojianhu --- hw/net/xilinx_ethlite.

[Qemu-devel] [PATCH] hw/ide: fix a writing to null pointer exception

2016-08-02 Thread chaojianhu
From: chaojianhu Date: Tue, 2 Aug 2016 17:39:16 +0800 Subject: [PATCH] hw/ide: fix a writing to null pointer exception In qemu less than v2.1.3, ide_flush_cache calls ide_flush_cb with s->bs == NULL, and ide_flush_cb calls bdrv_acct_done without checking s->bs neither. Finally, bdrv_acc

[Qemu-devel] [PATCH] hw/ide: fix a writing to null pointer exception

2016-08-02 Thread chaojianhu
From: chaojianhu Date: Tue, 2 Aug 2016 17:39:16 +0800 Subject: [PATCH] hw/ide: fix a writing to null pointer exception In qemu less than v2.1.3, ide_flush_cache calls ide_flush_cb with s->bs == NULL, and ide_flush_cb calls bdrv_acct_done without checking s->bs neither. Finally, bdrv_acc