diff options
author | Changqing Li <changqing.li@windriver.com> | 2020-05-02 00:41:12 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-05-07 17:32:09 +0100 |
commit | 76f72ee8a9239d36e45a4883048371081b8a6bca (patch) | |
tree | bf0a988b7e13148c3d32ada5dacc03588d6f4955 /meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch | |
parent | e2065837fcc0d51480b9ca9106c9c10352e89aad (diff) | |
download | poky-76f72ee8a9239d36e45a4883048371081b8a6bca.tar.gz |
qemu: fix CVE-2020-7039
(From OE-Core rev: 5ea3d9d83ed695827634e3216664c13fcff6d48a)
(From OE-Core rev: b7b96bd938cf4167b4abeebb68d35ba74ce0d3c6)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch new file mode 100644 index 0000000000..df6bca6db6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Thu, 27 Feb 2020 12:07:35 +0800 | ||
4 | Subject: [PATCH] tcp_emu: Fix oob access | ||
5 | |||
6 | The main loop only checks for one available byte, while we sometimes | ||
7 | need two bytes. | ||
8 | |||
9 | CVE: CVE-2020-7039 | ||
10 | Upstream-Status: Backport | ||
11 | [https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289] | ||
12 | |||
13 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
14 | --- | ||
15 | slirp/src/tcp_subr.c | 6 ++++++ | ||
16 | 1 file changed, 6 insertions(+) | ||
17 | |||
18 | diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c | ||
19 | index d6dd133..4bea2d4 100644 | ||
20 | --- a/slirp/src/tcp_subr.c | ||
21 | +++ b/slirp/src/tcp_subr.c | ||
22 | @@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
23 | break; | ||
24 | |||
25 | case 5: | ||
26 | + if (bptr == m->m_data + m->m_len - 1) | ||
27 | + return 1; /* We need two bytes */ | ||
28 | /* | ||
29 | * The difference between versions 1.0 and | ||
30 | * 2.0 is here. For future versions of | ||
31 | @@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
32 | /* This is the field containing the port | ||
33 | * number that RA-player is listening to. | ||
34 | */ | ||
35 | + | ||
36 | + if (bptr == m->m_data + m->m_len - 1) | ||
37 | + return 1; /* We need two bytes */ | ||
38 | + | ||
39 | lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; | ||
40 | if (lport < 6970) | ||
41 | lport += 256; /* don't know why */ | ||
42 | -- | ||
43 | 2.7.4 | ||
44 | |||