diff options
author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-05-15 15:57:03 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-05-16 08:29:59 +0100 |
commit | d9aa32dbf9145d25565a17ac39b186e332ed9a12 (patch) | |
tree | 5d1c158c2e9c06265965641f638372a1e63c5135 /meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch | |
parent | a9e49336dcddf8b2a43116e7850c3e731786fb86 (diff) | |
download | poky-d9aa32dbf9145d25565a17ac39b186e332ed9a12.tar.gz |
qemu: Upgrade 5.2.0 -> 6.0.0
Building without PIE support seems broken upstream, enable it by default
to match the configuration others evidently use.
Tweak git submodule option to match upstream.
Drop backported/merged patches, refresh others.
(From OE-Core rev: ede1b86e663f1cafccc8aa8c35fa13ebd3f55d11)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch deleted file mode 100644 index 7175b24e99..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 13:45:28 +0800 | ||
4 | Subject: [PATCH] e1000: fail early for evil descriptor | ||
5 | |||
6 | During procss_tx_desc(), driver can try to chain data descriptor with | ||
7 | legacy descriptor, when will lead underflow for the following | ||
8 | calculation in process_tx_desc() for bytes: | ||
9 | |||
10 | if (tp->size + bytes > msh) | ||
11 | bytes = msh - tp->size; | ||
12 | |||
13 | This will lead a infinite loop. So check and fail early if tp->size if | ||
14 | greater or equal to msh. | ||
15 | |||
16 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
17 | Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> | ||
18 | Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de> | ||
19 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
20 | Cc: qemu-stable@nongnu.org | ||
21 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8] | ||
24 | CVE: CVE-2021-20257 | ||
25 | |||
26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
27 | --- | ||
28 | hw/net/e1000.c | 4 ++++ | ||
29 | 1 file changed, 4 insertions(+) | ||
30 | |||
31 | diff --git a/hw/net/e1000.c b/hw/net/e1000.c | ||
32 | index cf22c4f07..c3564c7ce 100644 | ||
33 | --- a/hw/net/e1000.c | ||
34 | +++ b/hw/net/e1000.c | ||
35 | @@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) | ||
36 | msh = tp->tso_props.hdr_len + tp->tso_props.mss; | ||
37 | do { | ||
38 | bytes = split_size; | ||
39 | + if (tp->size >= msh) { | ||
40 | + goto eop; | ||
41 | + } | ||
42 | if (tp->size + bytes > msh) | ||
43 | bytes = msh - tp->size; | ||
44 | |||
45 | @@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) | ||
46 | tp->size += split_size; | ||
47 | } | ||
48 | |||
49 | +eop: | ||
50 | if (!(txd_lower & E1000_TXD_CMD_EOP)) | ||
51 | return; | ||
52 | if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { | ||
53 | -- | ||
54 | 2.29.2 | ||
55 | |||