summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdrian Dudau <adrian.dudau@enea.com>2016-11-03 14:18:00 +0100
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 12:21:36 +0100
commitad13ebb1a522389441b526ddf11301761e7c3938 (patch)
treeee98b2ee94835c04abaeb95676597732df0d27b6
parenta1533cc9b6bf6e555bdec1ecaac6e49437402e5c (diff)
downloadpoky-ad13ebb1a522389441b526ddf11301761e7c3938.tar.gz
qemu: Security fix CVE-2016-4439
affects qemu < 2.7.0 Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation support is vulnerable to an OOB write access issue. The controller uses 16-byte FIFO buffer for command and data transfer. The OOB write occurs while writing to this command buffer in routine get_cmd(). A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. References: ---------- http://www.openwall.com/lists/oss-security/2016/05/19/4 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4441 Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch78
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.5.0.bb1
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
new file mode 100644
index 0000000000..3cbe394bfd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
@@ -0,0 +1,78 @@
1From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 19 May 2016 16:09:31 +0530
4Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441)
5
6The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
7FIFO buffer. It is used to handle command and data transfer.
8Routine get_cmd() uses DMA to read scsi commands into this buffer.
9Add check to validate DMA length against buffer size to avoid any
10overrun.
11
12Fixes CVE-2016-4441.
13
14Upstream-Status: Backport
15
16Reported-by: Li Qiang <liqiang6-s@360.cn>
17Cc: qemu-stable@nongnu.org
18Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
19Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
20Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
21Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
22---
23 hw/scsi/esp.c | 11 +++++++----
24 1 files changed, 7 insertions(+), 4 deletions(-)
25
26diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
27index 01497e6..591c817 100644
28--- a/hw/scsi/esp.c
29+++ b/hw/scsi/esp.c
30@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
31 }
32 }
33
34-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
35+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
36 {
37 uint32_t dmalen;
38 int target;
39@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
40 dmalen = s->rregs[ESP_TCLO];
41 dmalen |= s->rregs[ESP_TCMID] << 8;
42 dmalen |= s->rregs[ESP_TCHI] << 16;
43+ if (dmalen > buflen) {
44+ return 0;
45+ }
46 s->dma_memory_read(s->dma_opaque, buf, dmalen);
47 } else {
48 dmalen = s->ti_size;
49@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
50 s->dma_cb = handle_satn;
51 return;
52 }
53- len = get_cmd(s, buf);
54+ len = get_cmd(s, buf, sizeof(buf));
55 if (len)
56 do_cmd(s, buf);
57 }
58@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
59 s->dma_cb = handle_s_without_atn;
60 return;
61 }
62- len = get_cmd(s, buf);
63+ len = get_cmd(s, buf, sizeof(buf));
64 if (len) {
65 do_busid_cmd(s, buf, 0);
66 }
67@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
68 s->dma_cb = handle_satn_stop;
69 return;
70 }
71- s->cmdlen = get_cmd(s, s->cmdbuf);
72+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
73 if (s->cmdlen) {
74 trace_esp_handle_satn_stop(s->cmdlen);
75 s->do_cmd = 1;
76--
771.7.0.4
78
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index ed8d911ea6..58902b1988 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -26,6 +26,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
26 file://CVE-2016-6351_p2.patch \ 26 file://CVE-2016-6351_p2.patch \
27 file://CVE-2016-4002.patch \ 27 file://CVE-2016-4002.patch \
28 file://CVE-2016-5403.patch \ 28 file://CVE-2016-5403.patch \
29 file://CVE-2016-4441.patch \
29 " 30 "
30SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 31SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
31SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" 32SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"