summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-04-29 11:02:18 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-01 12:34:51 +0100
commit13eda671267c7b38be0b863319f187fc8b4eae05 (patch)
treeb602906a087e6f600418372a7c429b682603ed21
parent91c507ce1cf983a600c2d38c4284e605a80297d6 (diff)
downloadpoky-13eda671267c7b38be0b863319f187fc8b4eae05.tar.gz
Qemu: CVE-2014-2894
Fixes an out of bounds memory access flaw in Qemu's IDE device model Reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2894 (From OE-Core rev: 5f7cdf1e1212af5e3dcf36c8817c63cc853b1a91) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu_1.7.0.bb3
2 files changed, 48 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch b/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch
new file mode 100644
index 0000000000..bd3566e282
--- /dev/null
+++ b/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch
@@ -0,0 +1,46 @@
1From c5dae2f4c50ef848f224da718154af4438862cdb Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Beno=C3=AEt=20Canet?= <benoit.canet@irqsave.net>
3Date: Sat, 12 Apr 2014 22:59:50 +0200
4Subject: [PATCH] ide: Correct improper smart self test counter reset in ide
5 core.
6
7The SMART self test counter was incorrectly being reset to zero,
8not 1. This had the effect that on every 21st SMART EXECUTE OFFLINE:
9 * We would write off the beginning of a dynamically allocated buffer
10 * We forgot the SMART history
11Fix this.
12
13Signed-off-by: Benoit Canet <benoit@irqsave.net>
14Message-id: 1397336390-24664-1-git-send-email-benoit.canet@irqsave.net
15Reviewed-by: Markus Armbruster <armbru@redhat.com>
16Cc: qemu-stable@nongnu.org
17Acked-by: Kevin Wolf <kwolf@redhat.com>
18[PMM: tweaked commit message as per suggestions from Markus]
19Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
20
21Fixes CVE-2014-2894
22Upstream-Status: Backport
23
24(cherry picked from commit 940973ae0b45c9b6817bab8e4cf4df99a9ef83d7)
25Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 hw/ide/core.c | 2 +-
29 1 file changed, 1 insertion(+), 1 deletion(-)
30
31diff --git a/hw/ide/core.c b/hw/ide/core.c
32index e1f4c33..6007f6f 100644
33--- a/hw/ide/core.c
34+++ b/hw/ide/core.c
35@@ -1601,7 +1601,7 @@ static bool cmd_smart(IDEState *s, uint8_t cmd)
36 case 2: /* extended self test */
37 s->smart_selftest_count++;
38 if (s->smart_selftest_count > 21) {
39- s->smart_selftest_count = 0;
40+ s->smart_selftest_count = 1;
41 }
42 n = 2 + (s->smart_selftest_count - 1) * 24;
43 s->smart_selftest_data[n] = s->sector;
44--
451.9.1
46
diff --git a/meta/recipes-devtools/qemu/qemu_1.7.0.bb b/meta/recipes-devtools/qemu/qemu_1.7.0.bb
index b776cccc02..a519645f56 100644
--- a/meta/recipes-devtools/qemu/qemu_1.7.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_1.7.0.bb
@@ -5,7 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
5 5
6SRC_URI += "file://fxrstorssefix.patch \ 6SRC_URI += "file://fxrstorssefix.patch \
7 file://qemu-enlarge-env-entry-size.patch \ 7 file://qemu-enlarge-env-entry-size.patch \
8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch" 8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
9 file://ide-CVE-2014-2894.patch"
9 10
10SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" 11SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2"
11SRC_URI[md5sum] = "32893941d40d052a5e649efcf06aca06" 12SRC_URI[md5sum] = "32893941d40d052a5e649efcf06aca06"