qemu: fix CVE-2020-7039

(From OE-Core rev: 5ea3d9d83ed695827634e3216664c13fcff6d48a) (From OE-Core rev: b7b96bd938cf4167b4abeebb68d35ba74ce0d3c6) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2020-05-02 00:41:12 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-05-07 17:32:09 +0100
commit: 76f72ee8a9239d36e45a4883048371081b8a6bca (patch)
tree: bf0a988b7e13148c3d32ada5dacc03588d6f4955 /meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
parent: e2065837fcc0d51480b9ca9106c9c10352e89aad (diff)
download: poky-76f72ee8a9239d36e45a4883048371081b8a6bca.tar.gz
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
new file mode 100644
index 0000000000..df6bca6db6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
@@ -0,0 +1,44 @@
+From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:07:35 +0800
+Subject: [PATCH] tcp_emu: Fix oob access
+The main loop only checks for one available byte, while we sometimes
+need two bytes.
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index d6dd133..4bea2d4 100644
+--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
+@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 break;
+ 
+             case 5:
+                if (bptr == m->m_data + m->m_len - 1)
+                        return 1; /* We need two bytes */
+                 /*
+                  * The difference between versions 1.0 and
+                  * 2.0 is here. For future versions of
+@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 /* This is the field containing the port
+                  * number that RA-player is listening to.
+                  */
+
+                if (bptr == m->m_data + m->m_len - 1)
+                        return 1; /* We need two bytes */
+
+                 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
+                 if (lport < 6970)
+                     lport += 256; /* don't know why */
+-- 
+2.7.4
author	Changqing Li <changqing.li@windriver.com>	2020-05-02 00:41:12 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-05-07 17:32:09 +0100
commit	76f72ee8a9239d36e45a4883048371081b8a6bca (patch)
tree	bf0a988b7e13148c3d32ada5dacc03588d6f4955 /meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
parent	e2065837fcc0d51480b9ca9106c9c10352e89aad (diff)
download	poky-76f72ee8a9239d36e45a4883048371081b8a6bca.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch new file mode 100644 index 0000000000..df6bca6db6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
@@ -0,0 +1,44 @@
	1	From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Thu, 27 Feb 2020 12:07:35 +0800
	4	Subject: [PATCH] tcp_emu: Fix oob access
	5
	6	The main loop only checks for one available byte, while we sometimes
	7	need two bytes.
	8
	9	CVE: CVE-2020-7039
	10	Upstream-Status: Backport
	11	[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289]
	12
	13	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	14	---
	15	slirp/src/tcp_subr.c \| 6 ++++++
	16	1 file changed, 6 insertions(+)
	17
	18	diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
	19	index d6dd133..4bea2d4 100644
	20	--- a/slirp/src/tcp_subr.c
	21	+++ b/slirp/src/tcp_subr.c
	22	@@ -886,6 +886,8 @@ int tcp_emu(struct socket so, struct mbuf m)
	23	break;
	24
	25	case 5:
	26	+ if (bptr == m->m_data + m->m_len - 1)
	27	+ return 1; /* We need two bytes */
	28	/*
	29	* The difference between versions 1.0 and
	30	* 2.0 is here. For future versions of
	31	@@ -901,6 +903,10 @@ int tcp_emu(struct socket so, struct mbuf m)
	32	/* This is the field containing the port
	33	* number that RA-player is listening to.
	34	*/
	35	+
	36	+ if (bptr == m->m_data + m->m_len - 1)
	37	+ return 1; /* We need two bytes */
	38	+
	39	lport = (((uint8_t )bptr)[0] << 8) + ((uint8_t )bptr)[1];
	40	if (lport < 6970)
	41	lport += 256; /* don't know why */
	42	--
	43	2.7.4
	44