qemu: Security Advisory - qemu - CVE-2019-15890

Backporting patch from https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943 to solve CVE-2019-15890. (From OE-Core rev: 2cccc685cc6359595ef3e943cd03290d8c8866f0) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Zhou <li.zhou@windriver.com> 2019-09-11 14:02:53 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-09-16 23:02:44 +0100
commit: fb5556a4b68a24d9218ac4faa0db5c360c465cd4 (patch)
tree: 787c6130e77e79451db880884271c5ef082ccfc8
parent: 1e1ad26a55081a4db6251ed9d49321ebc10b3af8 (diff)
download: poky-fb5556a4b68a24d9218ac4faa0db5c360c465cd4.tar.gz
2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 241f9dbec1..de21d30732 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -23,6 +23,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
           file://0009-Fix-webkitgtk-builds.patch \
           file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
+           file://CVE-2019-15890.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
new file mode 100644
index 0000000000..1d89431be6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
@@ -0,0 +1,48 @@
+From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Tue, 10 Sep 2019 20:02:15 -0700
+Subject: [PATCH] ip_reass: Fix use after free
+Using ip_deq after m_free might read pointers from an allocation reuse.
+This would be difficult to exploit, but that is still related with
+CVE-2019-14378 which generates fragmented IP packets that would trigger this
+issue and at least produce a DoS.
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Upstream-Status: Backport
+CVE: CVE-2019-15890
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ slirp/src/ip_input.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
+index 8c75d914..c07d7d40 100644
+--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
+@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
+      */
+     while (q != (struct ipasfrag *)&fp->frag_link &&
+            ip->ip_off + ip->ip_len > q->ipf_off) {
+        struct ipasfrag *prev;
+         i = (ip->ip_off + ip->ip_len) - q->ipf_off;
+         if (i < q->ipf_len) {
+             q->ipf_len -= i;
+@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
+             m_adj(dtom(slirp, q), i);
+             break;
+         }
+        prev = q;
+         q = q->ipf_next;
+-        m_free(dtom(slirp, q->ipf_prev));
+-        ip_deq(q->ipf_prev);
+        ip_deq(prev);
+        m_free(dtom(slirp, prev));
+     }
+ 
+ insert:
+-- 
+2.23.0
author	Li Zhou <li.zhou@windriver.com>	2019-09-11 14:02:53 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-16 23:02:44 +0100
commit	fb5556a4b68a24d9218ac4faa0db5c360c465cd4 (patch)
tree	787c6130e77e79451db880884271c5ef082ccfc8
parent	1e1ad26a55081a4db6251ed9d49321ebc10b3af8 (diff)
download	poky-fb5556a4b68a24d9218ac4faa0db5c360c465cd4.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 241f9dbec1..de21d30732 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -23,6 +23,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
23	file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \	23	file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
24	file://0009-Fix-webkitgtk-builds.patch \	24	file://0009-Fix-webkitgtk-builds.patch \
25	file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \	25	file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
		26	file://CVE-2019-15890.patch \
26	"	27	"
27	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	28	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
28		29


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch new file mode 100644 index 0000000000..1d89431be6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
@@ -0,0 +1,48 @@
		1	From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00 2001
		2	From: Li Zhou <li.zhou@windriver.com>
		3	Date: Tue, 10 Sep 2019 20:02:15 -0700
		4	Subject: [PATCH] ip_reass: Fix use after free
		5
		6	Using ip_deq after m_free might read pointers from an allocation reuse.
		7
		8	This would be difficult to exploit, but that is still related with
		9	CVE-2019-14378 which generates fragmented IP packets that would trigger this
		10	issue and at least produce a DoS.
		11
		12	Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
		13
		14	Upstream-Status: Backport
		15	CVE: CVE-2019-15890
		16	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		17	---
		18	slirp/src/ip_input.c \| 6 ++++--
		19	1 file changed, 4 insertions(+), 2 deletions(-)
		20
		21	diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
		22	index 8c75d914..c07d7d40 100644
		23	--- a/slirp/src/ip_input.c
		24	+++ b/slirp/src/ip_input.c
		25	@@ -292,6 +292,7 @@ static struct ip ip_reass(Slirp slirp, struct ip ip, struct ipq fp)
		26	*/
		27	while (q != (struct ipasfrag *)&fp->frag_link &&
		28	ip->ip_off + ip->ip_len > q->ipf_off) {
		29	+ struct ipasfrag *prev;
		30	i = (ip->ip_off + ip->ip_len) - q->ipf_off;
		31	if (i < q->ipf_len) {
		32	q->ipf_len -= i;
		33	@@ -299,9 +300,10 @@ static struct ip ip_reass(Slirp slirp, struct ip ip, struct ipq fp)
		34	m_adj(dtom(slirp, q), i);
		35	break;
		36	}
		37	+ prev = q;
		38	q = q->ipf_next;
		39	- m_free(dtom(slirp, q->ipf_prev));
		40	- ip_deq(q->ipf_prev);
		41	+ ip_deq(prev);
		42	+ m_free(dtom(slirp, prev));
		43	}
		44
		45	insert:
		46	--
		47	2.23.0
		48