qemu: Security fixes CVE-2018-20815 CVE-2019-9824

Source: qemu.org MR: 98623 Type: Security Fix Disposition: Backport from qemu.org ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37 Description: Fixes both CVE-2018-20815 and CVE-2019-9824 (From OE-Core rev: 5c45cd09fb29d4a1ebda6153a25f16e312049c44) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-07-01 17:30:37 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: e2f3997a84d0d700b0570a0f5d6f17ceffd955c4 (patch)
tree: be18f12e4296eeb0eae4e70799281c8653be3693
parent: 45e662b445970d6f57b8787c0c61b903cdfaa238 (diff)
download: poky-e2f3997a84d0d700b0570a0f5d6f17ceffd955c4.tar.gz
4 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch
new file mode 100644
index 0000000000..c3a5981488
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch
@@ -0,0 +1,42 @@
+From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Fri, 14 Dec 2018 13:30:52 +0000
+Subject: [PATCH] device_tree.c: Don't use load_image()
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
+Upstream-Status: Backport
+CVE: CVE-2018-20815
+affects <= 3.0.1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c972..296278e 100644
+--- a/device_tree.c
+++ b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+     /* First allocate space in qemu for device tree */
+     fdt = g_malloc0(dt_size);
+ 
+-    dt_file_load_size = load_image(filename_path, fdt);
+    dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+     if (dt_file_load_size < 0) {
+         error_report("Unable to open device tree file '%s'",
+                      filename_path);
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
new file mode 100644
index 0000000000..d01e874473
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
@@ -0,0 +1,52 @@
+From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Tue, 9 Apr 2019 19:40:18 +0200
+Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
+computation of @dt_size overflows to a negative number, which then
+gets converted to a very large size_t for g_malloc0() and
+load_image_size().  In the (fortunately improbable) case g_malloc0()
+succeeds and load_image_size() survives, we'd assign the negative
+number to *sizep.  What that would do to the callers I can't say, but
+it's unlikely to be good.
+Fix by rejecting images whose size would overflow.
+Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com>
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20190409174018.25798-1-armbru@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2018-20815
+affects <= 3.0.1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ device_tree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/device_tree.c b/device_tree.c
+index 296278e..f8b46b3 100644
+--- a/device_tree.c
+++ b/device_tree.c
+@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
+                      filename_path);
+         goto fail;
+     }
+    if (dt_size > INT_MAX / 2 - 10000) {
+        error_report("Device tree file '%s' is too large", filename_path);
+        goto fail;
+    }
+ 
+     /* Expand to 2x size to give enough room for manipulation.  */
+     dt_size += 10000;
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
new file mode 100644
index 0000000000..7f8300672b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
@@ -0,0 +1,47 @@
+From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001
+From: William Bowling <will@wbowling.info>
+Date: Fri, 1 Mar 2019 21:45:56 +0000
+Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-DaudÃ© <philmd@redhat.com>
+Upstream-Status: Backport
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8
+CVE: CVE-2019-9824
+affects < 4.0.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: qemu-3.0.0/slirp/tcp_subr.c
+===================================================================
+--- qemu-3.0.0.orig/slirp/tcp_subr.c
+++ qemu-3.0.0/slirp/tcp_subr.c
+@@ -662,12 +662,12 @@ tcp_emu(struct socket *so, struct mbuf *
+                                                        break;
+                                                }
+                                        }
+                so_rcv->sb_cc = snprintf(so_rcv->sb_data, 
+                                         so_rcv->sb_datalen,
+                                         "%d,%d\r\n", n1, n2);
+                so_rcv->sb_rptr = so_rcv->sb_data;
+                so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+                                }
+-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-                                                         so_rcv->sb_datalen,
+-                                                         "%d,%d\r\n", n1, n2);
+-                               so_rcv->sb_rptr = so_rcv->sb_data;
+-                               so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+                        }
+                        m_free(m);
+                        return 0;
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 63a6468acd..b591cc244b 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -32,6 +32,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2018-19364_p2.patch \
           file://CVE-2018-19489.patch \
           file://CVE-2019-12155.patch \
+           file://CVE-2018-20815_p1.patch \
+           file://CVE-2018-20815_p2.patch \
+           file://CVE-2019-9824.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
author	Armin Kuster <akuster@mvista.com>	2019-07-01 17:30:37 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	e2f3997a84d0d700b0570a0f5d6f17ceffd955c4 (patch)
tree	be18f12e4296eeb0eae4e70799281c8653be3693
parent	45e662b445970d6f57b8787c0c61b903cdfaa238 (diff)
download	poky-e2f3997a84d0d700b0570a0f5d6f17ceffd955c4.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch new file mode 100644 index 0000000000..c3a5981488 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch
@@ -0,0 +1,42 @@
		1	From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001
		2	From: Peter Maydell <peter.maydell@linaro.org>
		3	Date: Fri, 14 Dec 2018 13:30:52 +0000
		4	Subject: [PATCH] device_tree.c: Don't use load_image()
		5
		6	The load_image() function is deprecated, as it does not let the
		7	caller specify how large the buffer to read the file into is.
		8	Instead use load_image_size().
		9
		10	Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
		11	Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
		12	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
		13	Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
		14	Reviewed-by: Eric Blake <eblake@redhat.com>
		15	Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
		16
		17	Upstream-Status: Backport
		18	CVE: CVE-2018-20815
		19	affects <= 3.0.1
		20
		21	Signed-off-by: Armin Kuster <akuster@mvista.com>
		22
		23	---
		24	device_tree.c \| 2 +-
		25	1 file changed, 1 insertion(+), 1 deletion(-)
		26
		27	diff --git a/device_tree.c b/device_tree.c
		28	index 6d9c972..296278e 100644
		29	--- a/device_tree.c
		30	+++ b/device_tree.c
		31	@@ -91,7 +91,7 @@ void load_device_tree(const char filename_path, int *sizep)
		32	/* First allocate space in qemu for device tree */
		33	fdt = g_malloc0(dt_size);
		34
		35	- dt_file_load_size = load_image(filename_path, fdt);
		36	+ dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
		37	if (dt_file_load_size < 0) {
		38	error_report("Unable to open device tree file '%s'",
		39	filename_path);
		40	--
		41	2.7.4
		42


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch new file mode 100644 index 0000000000..d01e874473 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
@@ -0,0 +1,52 @@
		1	From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001
		2	From: Markus Armbruster <armbru@redhat.com>
		3	Date: Tue, 9 Apr 2019 19:40:18 +0200
		4	Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree()
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
		10	computation of @dt_size overflows to a negative number, which then
		11	gets converted to a very large size_t for g_malloc0() and
		12	load_image_size(). In the (fortunately improbable) case g_malloc0()
		13	succeeds and load_image_size() survives, we'd assign the negative
		14	number to *sizep. What that would do to the callers I can't say, but
		15	it's unlikely to be good.
		16
		17	Fix by rejecting images whose size would overflow.
		18
		19	Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com>
		20	Signed-off-by: Markus Armbruster <armbru@redhat.com>
		21	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		22	Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
		23	Message-Id: <20190409174018.25798-1-armbru@redhat.com>
		24
		25	Upstream-Status: Backport
		26	CVE: CVE-2018-20815
		27	affects <= 3.0.1
		28
		29	Signed-off-by: Armin Kuster <akuster@mvista.com>
		30
		31	---
		32	device_tree.c \| 4 ++++
		33	1 file changed, 4 insertions(+)
		34
		35	diff --git a/device_tree.c b/device_tree.c
		36	index 296278e..f8b46b3 100644
		37	--- a/device_tree.c
		38	+++ b/device_tree.c
		39	@@ -84,6 +84,10 @@ void load_device_tree(const char filename_path, int *sizep)
		40	filename_path);
		41	goto fail;
		42	}
		43	+ if (dt_size > INT_MAX / 2 - 10000) {
		44	+ error_report("Device tree file '%s' is too large", filename_path);
		45	+ goto fail;
		46	+ }
		47
		48	/* Expand to 2x size to give enough room for manipulation. */
		49	dt_size += 10000;
		50	--
		51	2.7.4
		52


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch new file mode 100644 index 0000000000..7f8300672b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
@@ -0,0 +1,47 @@
		1	From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001
		2	From: William Bowling <will@wbowling.info>
		3	Date: Fri, 1 Mar 2019 21:45:56 +0000
		4	Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=utf8
		7	Content-Transfer-Encoding: 8bit
		8
		9	When emulating ident in tcp_emu, if the strchr checks passed but the
		10	sscanf check failed, two uninitialized variables would be copied and
		11	sent in the reply, so move this code inside the if(sscanf()) clause.
		12
		13	Signed-off-by: William Bowling <will@wbowling.info>
		14	Cc: qemu-stable@nongnu.org
		15	Cc: secalert@redhat.com
		16	Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
		17	Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
		18	Reviewed-by: Philippe Mathieu-DaudÃ© <philmd@redhat.com>
		19
		20	Upstream-Status: Backport
		21	https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8
		22	CVE: CVE-2019-9824
		23	affects < 4.0.0
		24	Signed-off-by: Armin Kuster <akuster@mvista.com>
		25
		26	Index: qemu-3.0.0/slirp/tcp_subr.c
		27	===================================================================
		28	--- qemu-3.0.0.orig/slirp/tcp_subr.c
		29	+++ qemu-3.0.0/slirp/tcp_subr.c
		30	@@ -662,12 +662,12 @@ tcp_emu(struct socket so, struct mbuf
		31	break;
		32	}
		33	}
		34	+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
		35	+ so_rcv->sb_datalen,
		36	+ "%d,%d\r\n", n1, n2);
		37	+ so_rcv->sb_rptr = so_rcv->sb_data;
		38	+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
		39	}
		40	- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
		41	- so_rcv->sb_datalen,
		42	- "%d,%d\r\n", n1, n2);
		43	- so_rcv->sb_rptr = so_rcv->sb_data;
		44	- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
		45	}
		46	m_free(m);
		47	return 0;


diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index 63a6468acd..b591cc244b 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -32,6 +32,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
32	file://CVE-2018-19364_p2.patch \	32	file://CVE-2018-19364_p2.patch \
33	file://CVE-2018-19489.patch \	33	file://CVE-2018-19489.patch \
34	file://CVE-2019-12155.patch \	34	file://CVE-2019-12155.patch \
		35	file://CVE-2018-20815_p1.patch \
		36	file://CVE-2018-20815_p2.patch \
		37	file://CVE-2019-9824.patch \
35	"	38	"
36	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	39	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
37		40