diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-11-08 18:21:38 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-20 08:19:17 +0000 |
commit | 52e9ab5da1f445266c94b0c6432ddc2747fdc2c0 (patch) | |
tree | f0ff3c91dc6f0d5a2b469857f4a2644bafc263f6 | |
parent | 37595eeddfb01110d8cdc628be76a8bf6bde483a (diff) | |
download | poky-52e9ab5da1f445266c94b0c6432ddc2747fdc2c0.tar.gz |
QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion
Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/d307040b18
(From OE-Core rev: c7eb6da6fa68caf2fb0becbbebeea5e8ea2c9c56)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch | 61 |
2 files changed, 62 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 19431ee6dd..6a49dc53e9 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -13,7 +13,6 @@ inherit pkgconfig ptest python3-dir | |||
13 | 13 | ||
14 | LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ | 14 | LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ |
15 | file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f" | 15 | file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f" |
16 | |||
17 | SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | 16 | SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ |
18 | file://powerpc_rom.bin \ | 17 | file://powerpc_rom.bin \ |
19 | file://run-ptest \ | 18 | file://run-ptest \ |
@@ -92,6 +91,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
92 | file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \ | 91 | file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \ |
93 | file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \ | 92 | file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \ |
94 | file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \ | 93 | file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \ |
94 | file://CVE-2022-3165.patch \ | ||
95 | " | 95 | " |
96 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 96 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
97 | 97 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch new file mode 100644 index 0000000000..a7d061eb99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From a15f7d9913d050fb72a79bbbefa5c2329d92e71d Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 8 Nov 2022 17:10:00 +0530 | ||
4 | Subject: [PATCH] CVE-2022-3165 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/d307040b18] | ||
7 | CVE: CVE-2022-3165 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext | ||
11 | |||
12 | Extended ClientCutText messages start with a 4-byte header. If len < 4, | ||
13 | an integer underflow occurs in vnc_client_cut_text_ext. The result is | ||
14 | used to decompress data in a while loop in inflate_buffer, leading to | ||
15 | CPU consumption and denial of service. Prevent this by checking dlen in | ||
16 | protocol_client_msg. | ||
17 | |||
18 | Fixes: CVE-2022-3165 | ||
19 | |||
20 | ("ui/vnc: clipboard support") | ||
21 | Reported-by: default avatarTangPeng <tangpeng@qianxin.com> | ||
22 | Signed-off-by: Mauro Matteo Cascella's avatarMauro Matteo Cascella <mcascell@redhat.com> | ||
23 | Message-Id: <20220925204511.1103214-1-mcascell@redhat.com> | ||
24 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
25 | --- | ||
26 | ui/vnc.c | 11 ++++++++--- | ||
27 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
28 | |||
29 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
30 | index af02522e8..a14b6861b 100644 | ||
31 | --- a/ui/vnc.c | ||
32 | +++ b/ui/vnc.c | ||
33 | @@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) | ||
34 | if (len == 1) { | ||
35 | return 8; | ||
36 | } | ||
37 | + uint32_t dlen = abs(read_s32(data, 4)); | ||
38 | if (len == 8) { | ||
39 | - uint32_t dlen = abs(read_s32(data, 4)); | ||
40 | if (dlen > (1 << 20)) { | ||
41 | error_report("vnc: client_cut_text msg payload has %u bytes" | ||
42 | " which exceeds our limit of 1MB.", dlen); | ||
43 | @@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) | ||
44 | } | ||
45 | |||
46 | if (read_s32(data, 4) < 0) { | ||
47 | - vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)), | ||
48 | - read_u32(data, 8), data + 12); | ||
49 | + if (dlen < 4) { | ||
50 | + error_report("vnc: malformed payload (header less than 4 bytes)" | ||
51 | + " in extended clipboard pseudo-encoding."); | ||
52 | + vnc_client_error(vs); | ||
53 | + break; | ||
54 | + } | ||
55 | + vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12); | ||
56 | break; | ||
57 | } | ||
58 | vnc_client_cut_text(vs, read_u32(data, 4), data + 8); | ||
59 | -- | ||
60 | 2.25.1 | ||
61 | |||