diff options
author | Davide Gardenal <davidegarde2000@gmail.com> | 2022-05-16 10:54:15 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-05-20 10:08:06 +0100 |
commit | d6e618ac2e096094c04ddc615059bd1976c5a851 (patch) | |
tree | f2a956b0d2eda0dd2a33417c698385b8e3443a39 | |
parent | cf9a7e4cc66fc3813d4957ad68d2d40c15109af7 (diff) | |
download | poky-d6e618ac2e096094c04ddc615059bd1976c5a851.tar.gz |
qemu: backport patch for CVE-2021-4206
CVE: CVE-2021-4206
Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=fa892e9abb728e76afcf27323ab29c57fb0fe7aa
(From OE-Core rev: 0e684c12a762534261fcd7849fdcda0bb8031c0b)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | 89 |
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 1efbb104e2..b7762f83a8 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
33 | file://0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch \ | 33 | file://0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch \ |
34 | file://0002-virtio-net-fix-map-leaking-on-error-during-receive.patch \ | 34 | file://0002-virtio-net-fix-map-leaking-on-error-during-receive.patch \ |
35 | file://pvrdma.patch \ | 35 | file://pvrdma.patch \ |
36 | file://CVE-2021-4206.patch \ | ||
36 | " | 37 | " |
37 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 38 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
38 | 39 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..05f9c8f790 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 7 Apr 2022 10:17:12 +0200 | ||
4 | Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc | ||
5 | (CVE-2021-4206) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=utf8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Prevent potential integer overflow by limiting 'width' and 'height' to | ||
11 | 512x512. Also change 'datasize' type to size_t. Refer to security | ||
12 | advisory https://starlabs.sg/advisories/22-4206/ for more information. | ||
13 | |||
14 | Fixes: CVE-2021-4206 | ||
15 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
16 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
17 | Message-Id: <20220407081712.345609-1-mcascell@redhat.com> | ||
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | https://git.qemu.org/?p=qemu.git;a=commit;h=fa892e9abb728e76afcf27323ab29c57fb0fe7aa | ||
22 | |||
23 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
24 | --- | ||
25 | hw/display/qxl-render.c | 7 +++++++ | ||
26 | hw/display/vmware_vga.c | 2 ++ | ||
27 | ui/cursor.c | 8 +++++++- | ||
28 | 3 files changed, 16 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c | ||
31 | index 237ed29..ca21700 100644 | ||
32 | --- a/hw/display/qxl-render.c | ||
33 | +++ b/hw/display/qxl-render.c | ||
34 | @@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, | ||
35 | size_t size; | ||
36 | |||
37 | c = cursor_alloc(cursor->header.width, cursor->header.height); | ||
38 | + | ||
39 | + if (!c) { | ||
40 | + qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, | ||
41 | + cursor->header.width, cursor->header.height); | ||
42 | + goto fail; | ||
43 | + } | ||
44 | + | ||
45 | c->hot_x = cursor->header.hot_spot_x; | ||
46 | c->hot_y = cursor->header.hot_spot_y; | ||
47 | switch (cursor->header.type) { | ||
48 | diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c | ||
49 | index 98c8347..45d06cb 100644 | ||
50 | --- a/hw/display/vmware_vga.c | ||
51 | +++ b/hw/display/vmware_vga.c | ||
52 | @@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, | ||
53 | int i, pixels; | ||
54 | |||
55 | qc = cursor_alloc(c->width, c->height); | ||
56 | + assert(qc != NULL); | ||
57 | + | ||
58 | qc->hot_x = c->hot_x; | ||
59 | qc->hot_y = c->hot_y; | ||
60 | switch (c->bpp) { | ||
61 | diff --git a/ui/cursor.c b/ui/cursor.c | ||
62 | index 1d62ddd..835f080 100644 | ||
63 | --- a/ui/cursor.c | ||
64 | +++ b/ui/cursor.c | ||
65 | @@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) | ||
66 | |||
67 | /* parse pixel data */ | ||
68 | c = cursor_alloc(width, height); | ||
69 | + assert(c != NULL); | ||
70 | + | ||
71 | for (pixel = 0, y = 0; y < height; y++, line++) { | ||
72 | for (x = 0; x < height; x++, pixel++) { | ||
73 | idx = xpm[line][x]; | ||
74 | @@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) | ||
75 | QEMUCursor *cursor_alloc(int width, int height) | ||
76 | { | ||
77 | QEMUCursor *c; | ||
78 | - int datasize = width * height * sizeof(uint32_t); | ||
79 | + size_t datasize = width * height * sizeof(uint32_t); | ||
80 | + | ||
81 | + if (width > 512 || height > 512) { | ||
82 | + return NULL; | ||
83 | + } | ||
84 | |||
85 | c = g_malloc0(sizeof(QEMUCursor) + datasize); | ||
86 | c->width = width; | ||
87 | -- | ||
88 | 1.8.3.1 | ||
89 | |||