diff options
author | Kai Kang <kai.kang@windriver.com> | 2019-03-15 04:01:19 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-19 15:28:52 +0000 |
commit | 2f7749c12f7394be81433577220688034eaafab8 (patch) | |
tree | 20316204ba0cf08cb1edaa17c908b07ecccd5c9b /meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch | |
parent | a9b2f3561ee0fbe9db08ebbba63e69699cdd049a (diff) | |
download | poky-2f7749c12f7394be81433577220688034eaafab8.tar.gz |
qemu: backport patches to fix cves
CVE: CVE-2018-16872
CVE: CVE-2018-20124
CVE: CVE-2018-20125
CVE: CVE-2018-20126
CVE: CVE-2018-20191
CVE: CVE-2018-20216
Patches 0015-fix-CVE-2018-20124.patch and 0017-fix-CVE-2018-20126.patch
are rebased on current source code. Others are not modified.
(From OE-Core rev: 489ece1aa90d8f76b4c1f009d837f82e38e11ba9)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch new file mode 100644 index 0000000000..8329f2cfd0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | CVE: CVE-2018-20126 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c] | ||
3 | |||
4 | Backport and rebase patch to fix CVE-2018-20126. | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001 | ||
9 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
10 | Date: Thu, 13 Dec 2018 01:00:37 +0530 | ||
11 | Subject: [PATCH] pvrdma: release ring object in case of an error | ||
12 | |||
13 | create_cq and create_qp routines allocate ring object, but it's | ||
14 | not released in case of an error, leading to memory leakage. | ||
15 | |||
16 | Reported-by: Li Qiang <liq3ea@163.com> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
19 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
20 | --- | ||
21 | hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++----------- | ||
22 | 1 file changed, 30 insertions(+), 11 deletions(-) | ||
23 | |||
24 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
25 | index 4faeb21..9b6796f 100644 | ||
26 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
27 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
28 | @@ -310,6 +310,14 @@ out: | ||
29 | return rc; | ||
30 | } | ||
31 | |||
32 | +static void destroy_cq_ring(PvrdmaRing *ring) | ||
33 | +{ | ||
34 | + pvrdma_ring_free(ring); | ||
35 | + /* ring_state was in slot 1, not 0 so need to jump back */ | ||
36 | + rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE); | ||
37 | + g_free(ring); | ||
38 | +} | ||
39 | + | ||
40 | static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
41 | union pvrdma_cmd_resp *rsp) | ||
42 | { | ||
43 | @@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
44 | |||
45 | resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev, | ||
46 | cmd->cqe, &resp->cq_handle, ring); | ||
47 | + if (resp->hdr.err) { | ||
48 | + destroy_cq_ring(ring); | ||
49 | + } | ||
50 | + | ||
51 | resp->cqe = cmd->cqe; | ||
52 | |||
53 | out: | ||
54 | @@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
55 | } | ||
56 | |||
57 | ring = (PvrdmaRing *)cq->opaque; | ||
58 | - pvrdma_ring_free(ring); | ||
59 | - /* ring_state was in slot 1, not 0 so need to jump back */ | ||
60 | - rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE); | ||
61 | - g_free(ring); | ||
62 | + destroy_cq_ring(ring); | ||
63 | |||
64 | rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle); | ||
65 | |||
66 | @@ -451,6 +460,17 @@ out: | ||
67 | return rc; | ||
68 | } | ||
69 | |||
70 | +static void destroy_qp_rings(PvrdmaRing *ring) | ||
71 | +{ | ||
72 | + pr_dbg("sring=%p\n", &ring[0]); | ||
73 | + pvrdma_ring_free(&ring[0]); | ||
74 | + pr_dbg("rring=%p\n", &ring[1]); | ||
75 | + pvrdma_ring_free(&ring[1]); | ||
76 | + | ||
77 | + rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE); | ||
78 | + g_free(ring); | ||
79 | +} | ||
80 | + | ||
81 | static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
82 | union pvrdma_cmd_resp *rsp) | ||
83 | { | ||
84 | @@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
85 | cmd->max_recv_wr, cmd->max_recv_sge, | ||
86 | cmd->recv_cq_handle, rings, &resp->qpn); | ||
87 | |||
88 | + if (resp->hdr.err) { | ||
89 | + destroy_qp_rings(rings); | ||
90 | + return resp->hdr.err; | ||
91 | + } | ||
92 | + | ||
93 | resp->max_send_wr = cmd->max_send_wr; | ||
94 | resp->max_recv_wr = cmd->max_recv_wr; | ||
95 | resp->max_send_sge = cmd->max_send_sge; | ||
96 | @@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
97 | rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle); | ||
98 | |||
99 | ring = (PvrdmaRing *)qp->opaque; | ||
100 | - pr_dbg("sring=%p\n", &ring[0]); | ||
101 | - pvrdma_ring_free(&ring[0]); | ||
102 | - pr_dbg("rring=%p\n", &ring[1]); | ||
103 | - pvrdma_ring_free(&ring[1]); | ||
104 | - | ||
105 | - rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE); | ||
106 | - g_free(ring); | ||
107 | + destroy_qp_rings(ring); | ||
108 | |||
109 | return 0; | ||
110 | } | ||
111 | -- | ||
112 | 2.20.1 | ||
113 | |||