diff options
| author | Davide Gardenal <davidegarde2000@gmail.com> | 2022-05-16 10:54:15 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-05-20 10:08:06 +0100 |
| commit | d6e618ac2e096094c04ddc615059bd1976c5a851 (patch) | |
| tree | f2a956b0d2eda0dd2a33417c698385b8e3443a39 | |
| parent | cf9a7e4cc66fc3813d4957ad68d2d40c15109af7 (diff) | |
| download | poky-d6e618ac2e096094c04ddc615059bd1976c5a851.tar.gz | |
qemu: backport patch for CVE-2021-4206
CVE: CVE-2021-4206
Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=fa892e9abb728e76afcf27323ab29c57fb0fe7aa
(From OE-Core rev: 0e684c12a762534261fcd7849fdcda0bb8031c0b)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | 89 |
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 1efbb104e2..b7762f83a8 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 33 | file://0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch \ | 33 | file://0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch \ |
| 34 | file://0002-virtio-net-fix-map-leaking-on-error-during-receive.patch \ | 34 | file://0002-virtio-net-fix-map-leaking-on-error-during-receive.patch \ |
| 35 | file://pvrdma.patch \ | 35 | file://pvrdma.patch \ |
| 36 | file://CVE-2021-4206.patch \ | ||
| 36 | " | 37 | " |
| 37 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 38 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 38 | 39 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..05f9c8f790 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | |||
| @@ -0,0 +1,89 @@ | |||
| 1 | From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
| 3 | Date: Thu, 7 Apr 2022 10:17:12 +0200 | ||
| 4 | Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc | ||
| 5 | (CVE-2021-4206) | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=utf8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | Prevent potential integer overflow by limiting 'width' and 'height' to | ||
| 11 | 512x512. Also change 'datasize' type to size_t. Refer to security | ||
| 12 | advisory https://starlabs.sg/advisories/22-4206/ for more information. | ||
| 13 | |||
| 14 | Fixes: CVE-2021-4206 | ||
| 15 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
| 16 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
| 17 | Message-Id: <20220407081712.345609-1-mcascell@redhat.com> | ||
| 18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 19 | |||
| 20 | Upstream-Status: Backport | ||
| 21 | https://git.qemu.org/?p=qemu.git;a=commit;h=fa892e9abb728e76afcf27323ab29c57fb0fe7aa | ||
| 22 | |||
| 23 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
| 24 | --- | ||
| 25 | hw/display/qxl-render.c | 7 +++++++ | ||
| 26 | hw/display/vmware_vga.c | 2 ++ | ||
| 27 | ui/cursor.c | 8 +++++++- | ||
| 28 | 3 files changed, 16 insertions(+), 1 deletion(-) | ||
| 29 | |||
| 30 | diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c | ||
| 31 | index 237ed29..ca21700 100644 | ||
| 32 | --- a/hw/display/qxl-render.c | ||
| 33 | +++ b/hw/display/qxl-render.c | ||
| 34 | @@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, | ||
| 35 | size_t size; | ||
| 36 | |||
| 37 | c = cursor_alloc(cursor->header.width, cursor->header.height); | ||
| 38 | + | ||
| 39 | + if (!c) { | ||
| 40 | + qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, | ||
| 41 | + cursor->header.width, cursor->header.height); | ||
| 42 | + goto fail; | ||
| 43 | + } | ||
| 44 | + | ||
| 45 | c->hot_x = cursor->header.hot_spot_x; | ||
| 46 | c->hot_y = cursor->header.hot_spot_y; | ||
| 47 | switch (cursor->header.type) { | ||
| 48 | diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c | ||
| 49 | index 98c8347..45d06cb 100644 | ||
| 50 | --- a/hw/display/vmware_vga.c | ||
| 51 | +++ b/hw/display/vmware_vga.c | ||
| 52 | @@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, | ||
| 53 | int i, pixels; | ||
| 54 | |||
| 55 | qc = cursor_alloc(c->width, c->height); | ||
| 56 | + assert(qc != NULL); | ||
| 57 | + | ||
| 58 | qc->hot_x = c->hot_x; | ||
| 59 | qc->hot_y = c->hot_y; | ||
| 60 | switch (c->bpp) { | ||
| 61 | diff --git a/ui/cursor.c b/ui/cursor.c | ||
| 62 | index 1d62ddd..835f080 100644 | ||
| 63 | --- a/ui/cursor.c | ||
| 64 | +++ b/ui/cursor.c | ||
| 65 | @@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) | ||
| 66 | |||
| 67 | /* parse pixel data */ | ||
| 68 | c = cursor_alloc(width, height); | ||
| 69 | + assert(c != NULL); | ||
| 70 | + | ||
| 71 | for (pixel = 0, y = 0; y < height; y++, line++) { | ||
| 72 | for (x = 0; x < height; x++, pixel++) { | ||
| 73 | idx = xpm[line][x]; | ||
| 74 | @@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) | ||
| 75 | QEMUCursor *cursor_alloc(int width, int height) | ||
| 76 | { | ||
| 77 | QEMUCursor *c; | ||
| 78 | - int datasize = width * height * sizeof(uint32_t); | ||
| 79 | + size_t datasize = width * height * sizeof(uint32_t); | ||
| 80 | + | ||
| 81 | + if (width > 512 || height > 512) { | ||
| 82 | + return NULL; | ||
| 83 | + } | ||
| 84 | |||
| 85 | c = g_malloc0(sizeof(QEMUCursor) + datasize); | ||
| 86 | c->width = width; | ||
| 87 | -- | ||
| 88 | 1.8.3.1 | ||
| 89 | |||