qemu: CVE-2017-8309

Qemu built with the Audio subsystem support is vulnerable to a host memory leakage issue. It could occur if a guest user was to repeatedly start and stop audio capture. A privileged user inside guest could use this flaw to exhaust host memory, resulting in DoS. Reference: ========== https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8309 Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-08-29 10:29:30 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-08-29 13:32:58 +0200
commit: 7da6ebdca2d6b30dd6240db73b0c7605c310a4f1 (patch)
tree: 2a0e79f8fb004022275d9b6f52ac7ace27ec1910
parent: 534a1c7f012e2099ce83bcab35c25cd587c9f3af (diff)
download: meta-el-common-7da6ebdca2d6b30dd6240db73b0c7605c310a4f1.tar.gz
2 files changed, 43 insertions, 0 deletions
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch
new file mode 100644
index 0000000..812e64b
--- /dev/null
+++ b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch
@@ -0,0 +1,42 @@
+From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 09:56:12 +0200
+Subject: [PATCH] audio: release capture buffers
+AUD_add_capture() allocates two buffers which are never released.
+Add the missing calls to AUD_del_capture().
+Impact: Allows vnc clients to exhaust host memory by repeatedly
+starting and stopping audio capture.
+Fixes: CVE-2017-8309
+CVE-2017-8309
+Upstream-Status: Backport [backport from master, v2.10.0-rc0~214^2~27]
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170428075612.9997-1-kraxel@redhat.com
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ audio/audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/audio/audio.c b/audio/audio.c
+index c8898d8..beafed2 100644
+--- a/audio/audio.c
+++ b/audio/audio.c
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
+                     sw = sw1;
+                 }
+                 QLIST_REMOVE (cap, entries);
+                g_free (cap->hw.mix_buf);
+                g_free (cap->buf);
+                 g_free (cap);
+             }
+             return;
+--
+1.9.1
diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend
index 8db32c5..3ebff2d 100644
--- a/recipes-devtools/qemu/qemu_%.bbappend
+++ b/recipes-devtools/qemu/qemu_%.bbappend
@@ -5,4 +5,5 @@ SRC_URI += "file://0001-CVE-2017-2620.patch \
            file://0002-CVE-2017-2620.patch \
            file://CVE-2017-7471.patch \
            file://CVE-2017-6505.patch \
+            file://CVE-2017-8309.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-08-29 10:29:30 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-08-29 13:32:58 +0200
commit	7da6ebdca2d6b30dd6240db73b0c7605c310a4f1 (patch)
tree	2a0e79f8fb004022275d9b6f52ac7ace27ec1910
parent	534a1c7f012e2099ce83bcab35c25cd587c9f3af (diff)
download	meta-el-common-7da6ebdca2d6b30dd6240db73b0c7605c310a4f1.tar.gz

diff --git a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch new file mode 100644 index 0000000..812e64b --- /dev/null +++ b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch
@@ -0,0 +1,42 @@
		1	From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
		2	From: Gerd Hoffmann <kraxel@redhat.com>
		3	Date: Fri, 28 Apr 2017 09:56:12 +0200
		4	Subject: [PATCH] audio: release capture buffers
		5
		6	AUD_add_capture() allocates two buffers which are never released.
		7	Add the missing calls to AUD_del_capture().
		8
		9	Impact: Allows vnc clients to exhaust host memory by repeatedly
		10	starting and stopping audio capture.
		11
		12	Fixes: CVE-2017-8309
		13
		14	CVE-2017-8309
		15	Upstream-Status: Backport [backport from master, v2.10.0-rc0~214^2~27]
		16
		17	Cc: P J P <ppandit@redhat.com>
		18	Cc: Huawei PSIRT <PSIRT@huawei.com>
		19	Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
		20	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		21	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
		22	Message-id: 20170428075612.9997-1-kraxel@redhat.com
		23	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		24	---
		25	audio/audio.c \| 2 ++
		26	1 file changed, 2 insertions(+)
		27
		28	diff --git a/audio/audio.c b/audio/audio.c
		29	index c8898d8..beafed2 100644
		30	--- a/audio/audio.c
		31	+++ b/audio/audio.c
		32	@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut cap, void cb_opaque)
		33	sw = sw1;
		34	}
		35	QLIST_REMOVE (cap, entries);
		36	+ g_free (cap->hw.mix_buf);
		37	+ g_free (cap->buf);
		38	g_free (cap);
		39	}
		40	return;
		41	--
		42	1.9.1


diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend index 8db32c5..3ebff2d 100644 --- a/recipes-devtools/qemu/qemu_%.bbappend +++ b/recipes-devtools/qemu/qemu_%.bbappend
@@ -5,4 +5,5 @@ SRC_URI += "file://0001-CVE-2017-2620.patch \
5	file://0002-CVE-2017-2620.patch \	5	file://0002-CVE-2017-2620.patch \
6	file://CVE-2017-7471.patch \	6	file://CVE-2017-7471.patch \
7	file://CVE-2017-6505.patch \	7	file://CVE-2017-6505.patch \
		8	file://CVE-2017-8309.patch \
8	"	9	"