diff options
| author | Dan Tran <dantran@microsoft.com> | 2019-09-20 18:46:57 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-10 16:52:30 +0100 |
| commit | 7d0a5058e604ff7fc1dc3fe547138a2b85f467a1 (patch) | |
| tree | dd11efd6370c1f6fcf387c03804411bf475711ae /meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch | |
| parent | 70f57755d7e841748ec9cfccf6698a9f317bee5e (diff) | |
| download | poky-7d0a5058e604ff7fc1dc3fe547138a2b85f467a1.tar.gz | |
qemu: Fix 4 CVEs
Fixes CVE-2018-18954, CVE-2019-3812, CVE-2019-6778, and CVE-2019-8934.
Also deleted duplicated patch and cleanup.
(From OE-Core rev: e4b6a39bdf1b660233a7145599cd4fc3e971fc8f)
Signed-off-by: Dan Tran <dantran@microsoft.com>
[fixup for thud-next]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch new file mode 100644 index 0000000000..5b14596042 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From b6c0fa3b435375918714e107b22de2ef13a41c26 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 3 | Date: Sun, 13 Jan 2019 23:29:48 +0530 | ||
| 4 | Subject: [PATCH] slirp: check data length while emulating ident function | ||
| 5 | |||
| 6 | While emulating identification protocol, tcp_emu() does not check | ||
| 7 | available space in the 'sc_rcv->sb_data' buffer. It could lead to | ||
| 8 | heap buffer overflow issue. Add check to avoid it. | ||
| 9 | |||
| 10 | Reported-by: Kira <864786842@qq.com> | ||
| 11 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 12 | Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> | ||
| 13 | |||
| 14 | CVE: CVE-2019-6778 | ||
| 15 | Upstream-Status: Backport | ||
| 16 | [https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905] | ||
| 17 | |||
| 18 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
| 19 | --- | ||
| 20 | slirp/tcp_subr.c | 5 +++++ | ||
| 21 | 1 file changed, 5 insertions(+) | ||
| 22 | |||
| 23 | diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c | ||
| 24 | index 8d0f94b75f..7277aadfdf 100644 | ||
| 25 | --- a/slirp/tcp_subr.c | ||
| 26 | +++ b/slirp/tcp_subr.c | ||
| 27 | @@ -640,6 +640,11 @@ tcp_emu(struct socket *so, struct mbuf *m) | ||
| 28 | socklen_t addrlen = sizeof(struct sockaddr_in); | ||
| 29 | struct sbuf *so_rcv = &so->so_rcv; | ||
| 30 | |||
| 31 | + if (m->m_len > so_rcv->sb_datalen | ||
| 32 | + - (so_rcv->sb_wptr - so_rcv->sb_data)) { | ||
| 33 | + return 1; | ||
| 34 | + } | ||
| 35 | + | ||
| 36 | memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); | ||
| 37 | so_rcv->sb_wptr += m->m_len; | ||
| 38 | so_rcv->sb_rptr += m->m_len; | ||
| 39 | -- | ||
| 40 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
| 41 | |||