diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-04-01 13:26:48 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-05 07:23:59 -0700 |
commit | ebebf9d948b21983271c1c92e419a97b7d52e5bf (patch) | |
tree | f29ba16f0f66e9e492c4e0ffd1e056caf9202ba7 | |
parent | 418e54ce5c8ecf0022bb4c7996604039ed7387f2 (diff) | |
download | poky-ebebf9d948b21983271c1c92e419a97b7d52e5bf.tar.gz |
qemu: Fix for CVE-2023-6683
Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a
Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683
(From OE-Core rev: f099f9ff95c42444cbfa63630a6f160fd98997ed)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch | 92 |
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index ad6b310137..4747310ae4 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -108,6 +108,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
108 | file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \ | 108 | file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \ |
109 | file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \ | 109 | file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \ |
110 | file://CVE-2023-42467.patch \ | 110 | file://CVE-2023-42467.patch \ |
111 | file://CVE-2023-6683.patch \ | ||
111 | " | 112 | " |
112 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 113 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
113 | 114 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch new file mode 100644 index 0000000000..e528574076 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001 | ||
2 | From: Fiona Ebner <f.ebner@proxmox.com> | ||
3 | Date: Wed, 24 Jan 2024 11:57:48 +0100 | ||
4 | Subject: [PATCH] ui/clipboard: mark type as not available when there is no | ||
5 | data | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT | ||
11 | message with len=0. In qemu_clipboard_set_data(), the clipboard info | ||
12 | will be updated setting data to NULL (because g_memdup(data, size) | ||
13 | returns NULL when size is 0). If the client does not set the | ||
14 | VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then | ||
15 | the 'request' callback for the clipboard peer is not initialized. | ||
16 | Later, because data is NULL, qemu_clipboard_request() can be reached | ||
17 | via vdagent_chr_write() and vdagent_clipboard_recv_request() and | ||
18 | there, the clipboard owner's 'request' callback will be attempted to | ||
19 | be called, but that is a NULL pointer. | ||
20 | |||
21 | In particular, this can happen when using the KRDC (22.12.3) VNC | ||
22 | client. | ||
23 | |||
24 | Another scenario leading to the same issue is with two clients (say | ||
25 | noVNC and KRDC): | ||
26 | |||
27 | The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and | ||
28 | initializes its cbpeer. | ||
29 | |||
30 | The KRDC client does not, but triggers a vnc_client_cut_text() (note | ||
31 | it's not the _ext variant)). There, a new clipboard info with it as | ||
32 | the 'owner' is created and via qemu_clipboard_set_data() is called, | ||
33 | which in turn calls qemu_clipboard_update() with that info. | ||
34 | |||
35 | In qemu_clipboard_update(), the notifier for the noVNC client will be | ||
36 | called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the | ||
37 | noVNC client. The 'owner' in that clipboard info is the clipboard peer | ||
38 | for the KRDC client, which did not initialize the 'request' function. | ||
39 | That sounds correct to me, it is the owner of that clipboard info. | ||
40 | |||
41 | Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set | ||
42 | the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it | ||
43 | passes), that clipboard info is passed to qemu_clipboard_request() and | ||
44 | the original segfault still happens. | ||
45 | |||
46 | Fix the issue by handling updates with size 0 differently. In | ||
47 | particular, mark in the clipboard info that the type is not available. | ||
48 | |||
49 | While at it, switch to g_memdup2(), because g_memdup() is deprecated. | ||
50 | |||
51 | Cc: qemu-stable@nongnu.org | ||
52 | Fixes: CVE-2023-6683 | ||
53 | Reported-by: Markus Frank <m.frank@proxmox.com> | ||
54 | Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
55 | Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> | ||
56 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
57 | Tested-by: Markus Frank <m.frank@proxmox.com> | ||
58 | Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com> | ||
59 | |||
60 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a] | ||
61 | CVE: CVE-2023-6683 | ||
62 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
63 | --- | ||
64 | ui/clipboard.c | 12 +++++++++--- | ||
65 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
66 | |||
67 | diff --git a/ui/clipboard.c b/ui/clipboard.c | ||
68 | index 3d14bffaf80..b3f6fa3c9e1 100644 | ||
69 | --- a/ui/clipboard.c | ||
70 | +++ b/ui/clipboard.c | ||
71 | @@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer, | ||
72 | } | ||
73 | |||
74 | g_free(info->types[type].data); | ||
75 | - info->types[type].data = g_memdup(data, size); | ||
76 | - info->types[type].size = size; | ||
77 | - info->types[type].available = true; | ||
78 | + if (size) { | ||
79 | + info->types[type].data = g_memdup2(data, size); | ||
80 | + info->types[type].size = size; | ||
81 | + info->types[type].available = true; | ||
82 | + } else { | ||
83 | + info->types[type].data = NULL; | ||
84 | + info->types[type].size = 0; | ||
85 | + info->types[type].available = false; | ||
86 | + } | ||
87 | |||
88 | if (update) { | ||
89 | qemu_clipboard_update(info); | ||
90 | -- | ||
91 | GitLab | ||
92 | |||