summaryrefslogtreecommitdiffstats
path: root/recipes-devtools
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2017-09-14 08:16:06 +0200
committerMartin Borg <martin.borg@enea.com>2017-09-18 13:54:31 +0200
commit4c6acb2de2b9612dfae273e63348c40921ebf235 (patch)
tree5283f8803a3bcbb5fb919cba75df5cbddcd99ce5 /recipes-devtools
parent89da7b077d37beea5b759ad35bba6366aa696245 (diff)
downloadmeta-nfv-access-common-4c6acb2de2b9612dfae273e63348c40921ebf235.tar.gz
qemu: CVE-2017-5931
Fixes integer overflow in in handling virtio-crypto requests Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
Diffstat (limited to 'recipes-devtools')
-rw-r--r--recipes-devtools/qemu/qemu/CVE-2017-5931.patch52
-rw-r--r--recipes-devtools/qemu/qemu_%.bbappend1
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-5931.patch b/recipes-devtools/qemu/qemu/CVE-2017-5931.patch
new file mode 100644
index 0000000..4c35c26
--- /dev/null
+++ b/recipes-devtools/qemu/qemu/CVE-2017-5931.patch
@@ -0,0 +1,52 @@
1From d6f119475d3c9c913f9140771895036be66d5c33 Mon Sep 17 00:00:00 2001
2From: Gonglei <arei.gonglei@huawei.com>
3Date: Tue, 3 Jan 2017 14:50:03 +0800
4Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
5
6Because the 'size_t' type is 4 bytes in 32-bit platform, which
7is the same with 'int'. It's easy to make 'max_len' to zero when
8integer overflow and then cause heap overflow if 'max_len' is zero.
9
10Using uint_64 instead of size_t to avoid the integer overflow.
11
12CVE: CVE-2017-5931
13Upstream-Status: Backport [backport from 2.8.1.1 releases: https://git.qemu.org/?p=qemu.git;a=commit;h=d6f119475d3c9c913f9140771895036be66d5c33]
14
15Cc: qemu-stable@nongnu.org
16Reported-by: Li Qiang <liqiang6-s@360.cn>
17Signed-off-by: Gonglei <arei.gonglei@huawei.com>
18Tested-by: Li Qiang <liqiang6-s@360.cn>
19Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
20Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
21(cherry picked from commit a08aaff811fb194950f79711d2afe5a892ae03a4)
22Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
23Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
24---
25 hw/virtio/virtio-crypto.c | 4 ++--
26 1 file changed, 2 insertions(+), 2 deletions(-)
27
28diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
29index 2f2467e..c23e1ad 100644
30--- a/hw/virtio/virtio-crypto.c
31+++ b/hw/virtio/virtio-crypto.c
32@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
33 uint32_t hash_start_src_offset = 0, len_to_hash = 0;
34 uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
35
36- size_t max_len, curr_size = 0;
37+ uint64_t max_len, curr_size = 0;
38 size_t s;
39
40 /* Plain cipher */
41@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
42 return NULL;
43 }
44
45- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
46+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
47 if (unlikely(max_len > vcrypto->conf.max_size)) {
48 virtio_error(vdev, "virtio-crypto too big length");
49 return NULL;
50--
511.9.1
52
diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend
index 3ebff2d..e27553c 100644
--- a/recipes-devtools/qemu/qemu_%.bbappend
+++ b/recipes-devtools/qemu/qemu_%.bbappend
@@ -6,4 +6,5 @@ SRC_URI += "file://0001-CVE-2017-2620.patch \
6 file://CVE-2017-7471.patch \ 6 file://CVE-2017-7471.patch \
7 file://CVE-2017-6505.patch \ 7 file://CVE-2017-6505.patch \
8 file://CVE-2017-8309.patch \ 8 file://CVE-2017-8309.patch \
9 file://CVE-2017-5931.patch \
9 " 10 "