QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion

Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/d307040b18 (From OE-Core rev: c7eb6da6fa68caf2fb0becbbebeea5e8ea2c9c56) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-11-08 18:21:38 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-11-20 08:19:17 +0000
commit: 52e9ab5da1f445266c94b0c6432ddc2747fdc2c0 (patch)
tree: f0ff3c91dc6f0d5a2b469857f4a2644bafc263f6
parent: 37595eeddfb01110d8cdc628be76a8bf6bde483a (diff)
download: poky-52e9ab5da1f445266c94b0c6432ddc2747fdc2c0.tar.gz
2 files changed, 62 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 19431ee6dd..6a49dc53e9 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -13,7 +13,6 @@ inherit pkgconfig ptest python3-dir
 LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
                    file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f"
 SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://powerpc_rom.bin \
           file://run-ptest \
@@ -92,6 +91,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \
           file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \
           file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \
+           file://CVE-2022-3165.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
new file mode 100644
index 0000000000..a7d061eb99
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
@@ -0,0 +1,61 @@
+From a15f7d9913d050fb72a79bbbefa5c2329d92e71d Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 8 Nov 2022 17:10:00 +0530
+Subject: [PATCH] CVE-2022-3165
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/d307040b18]
+CVE: CVE-2022-3165
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext
+Extended ClientCutText messages start with a 4-byte header. If len < 4,
+an integer underflow occurs in vnc_client_cut_text_ext. The result is
+used to decompress data in a while loop in inflate_buffer, leading to
+CPU consumption and denial of service. Prevent this by checking dlen in
+protocol_client_msg.
+Fixes: CVE-2022-3165
+("ui/vnc: clipboard support")
+Reported-by: default avatarTangPeng <tangpeng@qianxin.com>
+Signed-off-by: Mauro Matteo Cascella's avatarMauro Matteo Cascella <mcascell@redhat.com>
+Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+---
+ ui/vnc.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/ui/vnc.c b/ui/vnc.c
+index af02522e8..a14b6861b 100644
+--- a/ui/vnc.c
+++ b/ui/vnc.c
+@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+         if (len == 1) {
+             return 8;
+         }
+        uint32_t dlen = abs(read_s32(data, 4));
+         if (len == 8) {
+-            uint32_t dlen = abs(read_s32(data, 4));
+             if (dlen > (1 << 20)) {
+                 error_report("vnc: client_cut_text msg payload has %u bytes"
+                              " which exceeds our limit of 1MB.", dlen);
+@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+         }
+ 
+         if (read_s32(data, 4) < 0) {
+-            vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
+-                                    read_u32(data, 8), data + 12);
+            if (dlen < 4) {
+                error_report("vnc: malformed payload (header less than 4 bytes)"
+                             " in extended clipboard pseudo-encoding.");
+                vnc_client_error(vs);
+                break;
+            }
+            vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
+             break;
+         }
+         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
+-- 
+2.25.1
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-11-08 18:21:38 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-11-20 08:19:17 +0000
commit	52e9ab5da1f445266c94b0c6432ddc2747fdc2c0 (patch)
tree	f0ff3c91dc6f0d5a2b469857f4a2644bafc263f6
parent	37595eeddfb01110d8cdc628be76a8bf6bde483a (diff)
download	poky-52e9ab5da1f445266c94b0c6432ddc2747fdc2c0.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 19431ee6dd..6a49dc53e9 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -13,7 +13,6 @@ inherit pkgconfig ptest python3-dir
13		13
14	LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \	14	LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
15	file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f"	15	file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f"
16
17	SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \	16	SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
18	file://powerpc_rom.bin \	17	file://powerpc_rom.bin \
19	file://run-ptest \	18	file://run-ptest \
@@ -92,6 +91,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
92	file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \	91	file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \
93	file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \	92	file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \
94	file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \	93	file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \
		94	file://CVE-2022-3165.patch \
95	"	95	"
96	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	96	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
97		97


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch new file mode 100644 index 0000000000..a7d061eb99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
@@ -0,0 +1,61 @@
		1	From a15f7d9913d050fb72a79bbbefa5c2329d92e71d Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Tue, 8 Nov 2022 17:10:00 +0530
		4	Subject: [PATCH] CVE-2022-3165
		5
		6	Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/d307040b18]
		7	CVE: CVE-2022-3165
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext
		11
		12	Extended ClientCutText messages start with a 4-byte header. If len < 4,
		13	an integer underflow occurs in vnc_client_cut_text_ext. The result is
		14	used to decompress data in a while loop in inflate_buffer, leading to
		15	CPU consumption and denial of service. Prevent this by checking dlen in
		16	protocol_client_msg.
		17
		18	Fixes: CVE-2022-3165
		19
		20	("ui/vnc: clipboard support")
		21	Reported-by: default avatarTangPeng <tangpeng@qianxin.com>
		22	Signed-off-by: Mauro Matteo Cascella's avatarMauro Matteo Cascella <mcascell@redhat.com>
		23	Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
		24	Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
		25	---
		26	ui/vnc.c \| 11 ++++++++---
		27	1 file changed, 8 insertions(+), 3 deletions(-)
		28
		29	diff --git a/ui/vnc.c b/ui/vnc.c
		30	index af02522e8..a14b6861b 100644
		31	--- a/ui/vnc.c
		32	+++ b/ui/vnc.c
		33	@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState vs, uint8_t data, size_t len)
		34	if (len == 1) {
		35	return 8;
		36	}
		37	+ uint32_t dlen = abs(read_s32(data, 4));
		38	if (len == 8) {
		39	- uint32_t dlen = abs(read_s32(data, 4));
		40	if (dlen > (1 << 20)) {
		41	error_report("vnc: client_cut_text msg payload has %u bytes"
		42	" which exceeds our limit of 1MB.", dlen);
		43	@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState vs, uint8_t data, size_t len)
		44	}
		45
		46	if (read_s32(data, 4) < 0) {
		47	- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
		48	- read_u32(data, 8), data + 12);
		49	+ if (dlen < 4) {
		50	+ error_report("vnc: malformed payload (header less than 4 bytes)"
		51	+ " in extended clipboard pseudo-encoding.");
		52	+ vnc_client_error(vs);
		53	+ break;
		54	+ }
		55	+ vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
		56	break;
		57	}
		58	vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
		59	--
		60	2.25.1
		61