1 files changed, 0 insertions, 43 deletions

diff --git a/system/xen/xsa/xsa184-qemut-master.patch b/system/xen/xsa/xsa184-qemut-master.patch
deleted file mode 100644
index d15167f4ac..0000000000
--- a/system/xen/xsa/xsa184-qemut-master.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Tue, 26 Jul 2016 15:31:59 +0100
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size.  This requires reusing
-vring descriptors in more than one request, which is incorrect but
-possible.  Processing a request allocates a VirtQueueElement and
-therefore causes unbounded memory allocation controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits.  This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- hw/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio.c b/hw/virtio.c
-index c26feff..42897bf 100644
---- a/hw/virtio.c
-+++ b/hw/virtio.c
-@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
-     /* When we start there are none of either input nor output. */
-     elem->out_num = elem->in_num = 0;
- 
-+    if (vq->inuse >= vq->vring.num) {
-+        fprintf(stderr, "Virtqueue size exceeded");
-+        exit(1);
-+    }
-+
-     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
-     do {
-         struct iovec *sg;
--- 
-2.1.4
-