qemu: fix CVE-2020-15863

(From OE-Core rev: d6eb50dfe66838e6bea061cbd1a120981777b700) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-08-07 17:45:17 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-08-12 10:53:47 +0100
commit: 697e30dcb2953caf7c79f631dab77943e5b19703 (patch)
tree: 7d225d34bc3ae1b00d3189d9012852f4b26a2d9f
parent: fa2385ad96a79ffbdad6c7084378848576e082a1 (diff)
download: poky-697e30dcb2953caf7c79f631dab77943e5b19703.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 24b0379de4..49dbb1c13d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -44,6 +44,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-13659.patch \
           file://CVE-2020-13800.patch \
           file://CVE-2020-13362.patch \
+           file://CVE-2020-15863.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
new file mode 100644
index 0000000000..1505c7eed0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,63 @@
+From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Fri, 10 Jul 2020 11:19:41 +0200
+Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
+A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
+occurs while sending an Ethernet frame due to missing break statements
+and improper checking of the buffer size.
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555]
+CVE: CVE-2020-15863
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/net/xgmac.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
+index 574dd47..5bf1b61 100644
+--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
+@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s)
+         }
+         len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
+ 
+        /*
+         * FIXME: these cases of malformed tx descriptors (bad sizes)
+         * should probably be reported back to the guest somehow
+         * rather than simply silently stopping processing, but we
+         * don't know what the hardware does in this situation.
+         * This will only happen for buggy guests anyway.
+         */
+         if ((bd.buffer1_size & 0xfff) > 2048) {
+             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
+                         "xgmac buffer 1 len on send > 2048 (0x%x)\n",
+                          __func__, bd.buffer1_size & 0xfff);
+            break;
+         }
+         if ((bd.buffer2_size & 0xfff) != 0) {
+             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
+                         "xgmac buffer 2 len on send != 0 (0x%x)\n",
+                         __func__, bd.buffer2_size & 0xfff);
+            break;
+         }
+-        if (len >= sizeof(frame)) {
+        if (frame_size + len >= sizeof(frame)) {
+             DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
+-                        "buffer\n" , __func__, len, sizeof(frame));
+                        "buffer\n" , __func__, frame_size + len, sizeof(frame));
+             DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
+                         __func__, bd.buffer1_size, bd.buffer2_size);
+            break;
+         }
+ 
+         cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
+-- 
+1.8.3.1
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-08-07 17:45:17 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-08-12 10:53:47 +0100
commit	697e30dcb2953caf7c79f631dab77943e5b19703 (patch)
tree	7d225d34bc3ae1b00d3189d9012852f4b26a2d9f
parent	fa2385ad96a79ffbdad6c7084378848576e082a1 (diff)
download	poky-697e30dcb2953caf7c79f631dab77943e5b19703.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 24b0379de4..49dbb1c13d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -44,6 +44,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
44	file://CVE-2020-13659.patch \	44	file://CVE-2020-13659.patch \
45	file://CVE-2020-13800.patch \	45	file://CVE-2020-13800.patch \
46	file://CVE-2020-13362.patch \	46	file://CVE-2020-13362.patch \
		47	file://CVE-2020-15863.patch \
47	"	48	"
48	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	49	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
49		50


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..1505c7eed0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,63 @@
		1	From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
		2	From: Mauro Matteo Cascella <mcascell@redhat.com>
		3	Date: Fri, 10 Jul 2020 11:19:41 +0200
		4	Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
		5
		6	A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
		7	occurs while sending an Ethernet frame due to missing break statements
		8	and improper checking of the buffer size.
		9
		10	Reported-by: Ziming Zhang <ezrakiez@gmail.com>
		11	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
		12	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
		13	Signed-off-by: Jason Wang <jasowang@redhat.com>
		14
		15	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555]
		16	CVE: CVE-2020-15863
		17	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		18
		19	---
		20	hw/net/xgmac.c \| 14 ++++++++++++--
		21	1 file changed, 12 insertions(+), 2 deletions(-)
		22
		23	diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
		24	index 574dd47..5bf1b61 100644
		25	--- a/hw/net/xgmac.c
		26	+++ b/hw/net/xgmac.c
		27	@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s)
		28	}
		29	len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
		30
		31	+ /*
		32	+ * FIXME: these cases of malformed tx descriptors (bad sizes)
		33	+ * should probably be reported back to the guest somehow
		34	+ * rather than simply silently stopping processing, but we
		35	+ * don't know what the hardware does in this situation.
		36	+ * This will only happen for buggy guests anyway.
		37	+ */
		38	if ((bd.buffer1_size & 0xfff) > 2048) {
		39	DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
		40	"xgmac buffer 1 len on send > 2048 (0x%x)\n",
		41	__func__, bd.buffer1_size & 0xfff);
		42	+ break;
		43	}
		44	if ((bd.buffer2_size & 0xfff) != 0) {
		45	DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
		46	"xgmac buffer 2 len on send != 0 (0x%x)\n",
		47	__func__, bd.buffer2_size & 0xfff);
		48	+ break;
		49	}
		50	- if (len >= sizeof(frame)) {
		51	+ if (frame_size + len >= sizeof(frame)) {
		52	DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
		53	- "buffer\n" , __func__, len, sizeof(frame));
		54	+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
		55	DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
		56	__func__, bd.buffer1_size, bd.buffer2_size);
		57	+ break;
		58	}
		59
		60	cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
		61	--
		62	1.8.3.1
		63