summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-09-19 20:01:16 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 15:27:06 +0100
commit76aa0c3d5d99661ccc0272257899ad0df21f445a (patch)
tree64e65d32b9293cf10e701eb97c6a8a8ae4a3c400
parent11c8c8aa155f134679fe0d2a12a8943a8d6b8c05 (diff)
downloadpoky-76aa0c3d5d99661ccc0272257899ad0df21f445a.tar.gz
qemu: Secuirty fix for CVE-2016-5403
affects qemu < 2.7.0-rc0 (From OE-Core rev: c53820180cdccd97de1f314078570fac1ff16052) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch67
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.5.0.bb1
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
new file mode 100644
index 0000000000..fe084f5b08
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
@@ -0,0 +1,67 @@
1From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
2From: Stefan Hajnoczi <stefanha@redhat.com>
3Date: Tue, 19 Jul 2016 13:07:13 +0100
4Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
5
6A broken or malicious guest can submit more requests than the virtqueue
7size permits, causing unbounded memory allocation in QEMU.
8
9The guest can submit requests without bothering to wait for completion
10and is therefore not bound by virtqueue size. This requires reusing
11vring descriptors in more than one request, which is not allowed by the
12VIRTIO 1.0 specification.
13
14In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
15says:
16
17 1. The driver places the buffer into free descriptor(s) in the
18 descriptor table, chaining as necessary
19
20and
21
22 Note that the above code does not take precautions against the
23 available ring buffer wrapping around: this is not possible since the
24 ring buffer is the same size as the descriptor table, so step (1) will
25 prevent such a condition.
26
27This implies that placing more buffers into the virtqueue than the
28descriptor table size is not allowed.
29
30QEMU is missing the check to prevent this case. Processing a request
31allocates a VirtQueueElement leading to unbounded memory allocation
32controlled by the guest.
33
34Exit with an error if the guest provides more requests than the
35virtqueue size permits. This bounds memory allocation and makes the
36buggy guest visible to the user.
37
38This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
39Marvel Team, China.
40
41Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
42Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
43
44Upstream-Status: Backport
45CVE: CVE-2106-5403
46Signed-off-by: Armin Kuster <akuster@mvista.com>
47
48---
49 hw/virtio/virtio.c | 5 +++++
50 1 file changed, 5 insertions(+)
51
52Index: qemu-2.4.0/hw/virtio/virtio.c
53===================================================================
54--- qemu-2.4.0.orig/hw/virtio/virtio.c
55+++ qemu-2.4.0/hw/virtio/virtio.c
56@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
57
58 max = vq->vring.num;
59
60+ if (vq->inuse >= vq->vring.num) {
61+ error_report("Virtqueue size exceeded");
62+ exit(1);
63+ }
64+
65 i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
66 if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
67 vring_set_avail_event(vq, vq->last_avail_idx);
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 0ffec9889c..ed8d911ea6 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
25 file://CVE-2016-6351_p1.patch \ 25 file://CVE-2016-6351_p1.patch \
26 file://CVE-2016-6351_p2.patch \ 26 file://CVE-2016-6351_p2.patch \
27 file://CVE-2016-4002.patch \ 27 file://CVE-2016-4002.patch \
28 file://CVE-2016-5403.patch \
28 " 29 "
29SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 30SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
30SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" 31SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"