qemu: Security fix for CVE-2019-12155

Source: qemu.org MR: 98382 Type: Security Fix Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99 ChangeID: e4e5983ec1fa489eb8a0db08d1afa0606e59dde3 Description: Fixes CVE-2019-12155 Affects: <= 4.0.0 (From OE-Core rev: 6045c57895cad301c5e3a94de740427343a08065) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-06-06 17:19:30 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: 8e6d657a9c116a7b8239ed773aaf3940458cbd7c (patch)
tree: 9c33b2198a674867ec5d89d03a179a20005db5a3
parent: a43499cf8e91188e11616cff8f3c70ed033bfa86 (diff)
download: poky-8e6d657a9c116a7b8239ed773aaf3940458cbd7c.tar.gz
2 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
new file mode 100644
index 0000000000..8a5ece51f6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
@@ -0,0 +1,38 @@
+From d52680fc932efb8a2f334cc6993e705ed1e31e99 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 25 Apr 2019 12:05:34 +0530
+Subject: [PATCH] qxl: check release info object
+When releasing spice resources in release_resource() routine,
+if release info object 'ext.info' is null, it leads to null
+pointer dereference. Add check to avoid it.
+Reported-by: Bugs SysSec <bugs-syssec@rub.de>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20190425063534.32747-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
+CVE: CVE-2019-12155
+Affects: <= 4.0.0
+Signed-off-by: Armin Kuster <akuster@mvistra.com>
+---
+ hw/display/qxl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+Index: qemu-3.0.0/hw/display/qxl.c
+===================================================================
+--- qemu-3.0.0.orig/hw/display/qxl.c
+++ qemu-3.0.0/hw/display/qxl.c
+@@ -764,6 +764,9 @@ static void interface_release_resource(Q
+     QXLReleaseRing *ring;
+     uint64_t *item, id;
+ 
+    if (!ext.info) {
+        return;
+    }
+     if (ext.group_id == MEMSLOT_GROUP_HOST) {
+         /* host group -> vga mode update request */
+         QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 992cf7b1a8..63a6468acd 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2018-19364_p1.patch \
           file://CVE-2018-19364_p2.patch \
           file://CVE-2018-19489.patch \
+           file://CVE-2019-12155.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
author	Armin Kuster <akuster@mvista.com>	2019-06-06 17:19:30 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	8e6d657a9c116a7b8239ed773aaf3940458cbd7c (patch)
tree	9c33b2198a674867ec5d89d03a179a20005db5a3
parent	a43499cf8e91188e11616cff8f3c70ed033bfa86 (diff)
download	poky-8e6d657a9c116a7b8239ed773aaf3940458cbd7c.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch new file mode 100644 index 0000000000..8a5ece51f6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
@@ -0,0 +1,38 @@
		1	From d52680fc932efb8a2f334cc6993e705ed1e31e99 Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Thu, 25 Apr 2019 12:05:34 +0530
		4	Subject: [PATCH] qxl: check release info object
		5
		6	When releasing spice resources in release_resource() routine,
		7	if release info object 'ext.info' is null, it leads to null
		8	pointer dereference. Add check to avoid it.
		9
		10	Reported-by: Bugs SysSec <bugs-syssec@rub.de>
		11	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		12	Message-id: 20190425063534.32747-1-ppandit@redhat.com
		13	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		14
		15	Upstream-Status: Backport
		16	https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
		17
		18	CVE: CVE-2019-12155
		19	Affects: <= 4.0.0
		20	Signed-off-by: Armin Kuster <akuster@mvistra.com>
		21	---
		22	hw/display/qxl.c \| 3 +++
		23	1 file changed, 3 insertions(+)
		24
		25	Index: qemu-3.0.0/hw/display/qxl.c
		26	===================================================================
		27	--- qemu-3.0.0.orig/hw/display/qxl.c
		28	+++ qemu-3.0.0/hw/display/qxl.c
		29	@@ -764,6 +764,9 @@ static void interface_release_resource(Q
		30	QXLReleaseRing *ring;
		31	uint64_t *item, id;
		32
		33	+ if (!ext.info) {
		34	+ return;
		35	+ }
		36	if (ext.group_id == MEMSLOT_GROUP_HOST) {
		37	/* host group -> vga mode update request */
		38	QXLCommandExt cmdext = (void )(intptr_t)(ext.info->id);


diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index 992cf7b1a8..63a6468acd 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
31	file://CVE-2018-19364_p1.patch \	31	file://CVE-2018-19364_p1.patch \
32	file://CVE-2018-19364_p2.patch \	32	file://CVE-2018-19364_p2.patch \
33	file://CVE-2018-19489.patch \	33	file://CVE-2018-19489.patch \
		34	file://CVE-2019-12155.patch \
34	"	35	"
35	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	36	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
36		37