summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLi Wang <li.wang@windriver.com>2020-12-01 02:16:54 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-12-18 23:01:48 +0000
commit6006b3514fb750d744ecb7e0ee2944cb5855fd9b (patch)
tree86b3435630ad7853aac45fbd9a1e65ee4cf00294
parente6cd9ba1a895cb2e50fda2dd6f06bb974c84618b (diff)
downloadpoky-6006b3514fb750d744ecb7e0ee2944cb5855fd9b.tar.gz
qemu: CVE-2020-29129 CVE-2020-29130
References: https://nvd.nist.gov/vuln/detail/CVE-2020-29129 https://nvd.nist.gov/vuln/detail/CVE-2020-29130 backport patch from: https://git.qemu.org/?p=libslirp.git;a=commit;h=2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f (From OE-Core rev: 0a9a9a4d524c5b932cc24f51994368e07dd2e81f) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e5eda809a41732dfa4988799360be3d1280c1209) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch64
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 11be545cb5..bbe2a39755 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
33 file://usb-fix-setup_len-init.patch \ 33 file://usb-fix-setup_len-init.patch \
34 file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ 34 file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
35 file://CVE-2020-24352.patch \ 35 file://CVE-2020-24352.patch \
36 file://CVE-2020-29129-CVE-2020-29130.patch \
36 " 37 "
37UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 38UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
38 39
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch
new file mode 100644
index 0000000000..e5829f6dad
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch
@@ -0,0 +1,64 @@
1From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 26 Nov 2020 19:27:06 +0530
4Subject: [PATCH] slirp: check pkt_len before reading protocol header
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
10routines, ensure that pkt_len is large enough to accommodate the
11respective protocol headers, lest it should do an OOB access.
12Add check to avoid it.
13
14CVE-2020-29129 CVE-2020-29130
15 QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
16 -> https://www.openwall.com/lists/oss-security/2020/11/27/1
17
18Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
19Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
20Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
21Reviewed-by: Marc-Andrà Lureau <marcandre.lureau@redhat.com>
22
23Upstream-Status: Backport
24CVE: CVE-2020-29129 CVE-2020-29130
25[https://git.qemu.org/?p=libslirp.git;a=commit;h=2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f]
26Signed-off-by: Li Wang <li.wang@windriver.com>
27---
28 slirp/src/ncsi.c | 4 ++++
29 slirp/src/slirp.c | 4 ++++
30 2 files changed, 8 insertions(+)
31
32diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c
33index 3c1dfef..75dcc08 100644
34--- a/slirp/src/ncsi.c
35+++ b/slirp/src/ncsi.c
36@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
37 uint32_t checksum;
38 uint32_t *pchecksum;
39
40+ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
41+ return; /* packet too short */
42+ }
43+
44 memset(ncsi_reply, 0, sizeof(ncsi_reply));
45
46 memset(reh->h_dest, 0xff, ETH_ALEN);
47diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c
48index dba7c98..9be58e2 100644
49--- a/slirp/src/slirp.c
50+++ b/slirp/src/slirp.c
51@@ -756,6 +756,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
52 return;
53 }
54
55+ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
56+ return; /* packet too short */
57+ }
58+
59 ar_op = ntohs(ah->ar_op);
60 switch (ar_op) {
61 case ARPOP_REQUEST:
62--
632.17.1
64