diff options
| author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-06-16 16:21:42 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-07-08 10:47:50 +0100 |
| commit | 4e90fb17b129b7a5df584799ec9629474362d50c (patch) | |
| tree | e5d6d71e2c9e9e7d6ae3ebd87dfe039ad67413c1 /meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch | |
| parent | 09d29eb36a335cadb1249f6849e090d22bbf5a2e (diff) | |
| download | poky-4e90fb17b129b7a5df584799ec9629474362d50c.tar.gz | |
qemu: fix CVE-2020-10702 & CVE-2020-13765
(From OE-Core rev: 684307688eb0c1a98be8885164ecc8f578a36cf8)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch new file mode 100644 index 0000000000..9014ba0f13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch | |||
| @@ -0,0 +1,48 @@ | |||
| 1 | From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Thomas Huth <thuth@redhat.com> | ||
| 3 | Date: Wed, 25 Sep 2019 14:16:43 +0200 | ||
| 4 | Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy() | ||
| 5 | |||
| 6 | Both, "rom->addr" and "addr" are derived from the binary image | ||
| 7 | that can be loaded with the "-kernel" paramer. The code in | ||
| 8 | rom_copy() then calculates: | ||
| 9 | |||
| 10 | d = dest + (rom->addr - addr); | ||
| 11 | |||
| 12 | and uses "d" as destination in a memcpy() some lines later. Now with | ||
| 13 | bad kernel images, it is possible that rom->addr is smaller than addr, | ||
| 14 | thus "rom->addr - addr" gets negative and the memcpy() then tries to | ||
| 15 | copy contents from the image to a bad memory location. This could | ||
| 16 | maybe be used to inject code from a kernel image into the QEMU binary, | ||
| 17 | so we better fix it with an additional sanity check here. | ||
| 18 | |||
| 19 | Cc: qemu-stable@nongnu.org | ||
| 20 | Reported-by: Guangming Liu | ||
| 21 | Buglink: https://bugs.launchpad.net/qemu/+bug/1844635 | ||
| 22 | Message-Id: <20190925130331.27825-1-thuth@redhat.com> | ||
| 23 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
| 24 | Signed-off-by: Thomas Huth <thuth@redhat.com> | ||
| 25 | |||
| 26 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319] | ||
| 27 | CVE: CVE-2020-13765 | ||
| 28 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
| 29 | --- | ||
| 30 | hw/core/loader.c | 2 +- | ||
| 31 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 32 | |||
| 33 | diff --git a/hw/core/loader.c b/hw/core/loader.c | ||
| 34 | index 0d60219..5099f27 100644 | ||
| 35 | --- a/hw/core/loader.c | ||
| 36 | +++ b/hw/core/loader.c | ||
| 37 | @@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size) | ||
| 38 | if (rom->addr + rom->romsize < addr) { | ||
| 39 | continue; | ||
| 40 | } | ||
| 41 | - if (rom->addr > end) { | ||
| 42 | + if (rom->addr > end || rom->addr < addr) { | ||
| 43 | break; | ||
| 44 | } | ||
| 45 | |||
| 46 | -- | ||
| 47 | 1.8.3.1 | ||
| 48 | |||