summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLi Wang <Li.Wang@windriver.com>2020-08-10 08:15:25 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-09-10 12:21:41 (GMT)
commitdc4767f775a31c3d04ae868ea22ed9e747c6d83c (patch)
tree393ae87565c79c5de73e5982e1c2cc3e09012117
parent5ce2f71ca37512b64f14d9bcdc1ebedc24510db3 (diff)
downloadpoky-dc4767f775a31c3d04ae868ea22ed9e747c6d83c.tar.gz
qemu : fix CVE-2020-15863
(From OE-Core rev: 30b0784e2eef9c4d45296857b0792a4374020fab) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Li Wang <Li.Wang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch64
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 702a817..012be74 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -41,6 +41,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
41 file://CVE-2020-10702.patch \ 41 file://CVE-2020-10702.patch \
42 file://CVE-2020-16092.patch \ 42 file://CVE-2020-16092.patch \
43 file://CVE-2020-10756.patch \ 43 file://CVE-2020-10756.patch \
44 file://CVE-2020-15863.patch \
44 " 45 "
45UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 46UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
46 47
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
new file mode 100644
index 0000000..9927584
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,64 @@
1From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Fri, 10 Jul 2020 11:19:41 +0200
4Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
5
6A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
7occurs while sending an Ethernet frame due to missing break statements
8and improper checking of the buffer size.
9
10Reported-by: Ziming Zhang <ezrakiez@gmail.com>
11Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
12Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15CVE: CVE-2020-15863
16Upstream-Status: Backport
17[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555]
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19Signed-off-by: Li Wang <li.wang@windriver.com>
20---
21 hw/net/xgmac.c | 14 ++++++++++++--
22 1 file changed, 12 insertions(+), 2 deletions(-)
23
24diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
25index f49df95..f496f7e 100644
26--- a/hw/net/xgmac.c
27+++ b/hw/net/xgmac.c
28@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
29 }
30 len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
31
32+ /*
33+ * FIXME: these cases of malformed tx descriptors (bad sizes)
34+ * should probably be reported back to the guest somehow
35+ * rather than simply silently stopping processing, but we
36+ * don't know what the hardware does in this situation.
37+ * This will only happen for buggy guests anyway.
38+ */
39 if ((bd.buffer1_size & 0xfff) > 2048) {
40 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
41 "xgmac buffer 1 len on send > 2048 (0x%x)\n",
42 __func__, bd.buffer1_size & 0xfff);
43+ break;
44 }
45 if ((bd.buffer2_size & 0xfff) != 0) {
46 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
47 "xgmac buffer 2 len on send != 0 (0x%x)\n",
48 __func__, bd.buffer2_size & 0xfff);
49+ break;
50 }
51- if (len >= sizeof(frame)) {
52+ if (frame_size + len >= sizeof(frame)) {
53 DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
54- "buffer\n" , __func__, len, sizeof(frame));
55+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
56 DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
57 __func__, bd.buffer1_size, bd.buffer2_size);
58+ break;
59 }
60
61 cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
62--
631.9.1
64