diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-02-26 12:33:09 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-03-07 08:32:54 -1000 |
commit | b9aad2ed8a0adda9a805b9314abfd28c954b2737 (patch) | |
tree | d2e85e70c4f5e179548c3fa3912771b00196369c | |
parent | e4f9b3aa4f9e299bf241201687ce52df01bf534e (diff) | |
download | poky-b9aad2ed8a0adda9a805b9314abfd28c954b2737.tar.gz |
qemu: Fix for CVE-2024-24474
Upstream-Status: Backport
[https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52]
(From OE-Core rev: 71600de72c602e6d1ae2c3b13af6c59440affdb6)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch | 44 |
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c5fb9b1eab..18752af274 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -103,6 +103,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
103 | file://CVE-2021-3638.patch \ | 103 | file://CVE-2021-3638.patch \ |
104 | file://CVE-2023-1544.patch \ | 104 | file://CVE-2023-1544.patch \ |
105 | file://CVE-2023-5088.patch \ | 105 | file://CVE-2023-5088.patch \ |
106 | file://CVE-2024-24474.patch \ | ||
106 | " | 107 | " |
107 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 108 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
108 | 109 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch new file mode 100644 index 0000000000..e890fe56cf --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 77668e4b9bca03a856c27ba899a2513ddf52bb52 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
3 | Date: Wed, 13 Sep 2023 21:44:09 +0100 | ||
4 | Subject: [PATCH] esp: restrict non-DMA transfer length to that of available | ||
5 | data | ||
6 | |||
7 | In the case where a SCSI layer transfer is incorrectly terminated, it is | ||
8 | possible for a TI command to cause a SCSI buffer overflow due to the | ||
9 | expected transfer data length being less than the available data in the | ||
10 | FIFO. When this occurs the unsigned async_len variable underflows and | ||
11 | becomes a large offset which writes past the end of the allocated SCSI | ||
12 | buffer. | ||
13 | |||
14 | Restrict the non-DMA transfer length to be the smallest of the expected | ||
15 | transfer length and the available FIFO data to ensure that it is no longer | ||
16 | possible for the SCSI buffer overflow to occur. | ||
17 | |||
18 | Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
19 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810 | ||
20 | Reviewed-by: Thomas Huth <thuth@redhat.com> | ||
21 | Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk> | ||
22 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52] | ||
25 | CVE: CVE-2024-24474 | ||
26 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
27 | --- | ||
28 | hw/scsi/esp.c | 3 ++- | ||
29 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c | ||
32 | index 4218a6a96054..9b11d8c5738a 100644 | ||
33 | --- a/hw/scsi/esp.c | ||
34 | +++ b/hw/scsi/esp.c | ||
35 | @@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s) | ||
36 | } | ||
37 | |||
38 | if (to_device) { | ||
39 | - len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ); | ||
40 | + len = MIN(s->async_len, ESP_FIFO_SZ); | ||
41 | + len = MIN(len, fifo8_num_used(&s->fifo)); | ||
42 | esp_fifo_pop_buf(&s->fifo, s->async_buf, len); | ||
43 | s->async_buf += len; | ||
44 | s->async_len -= len; | ||