qemu: fix CVE-2021-3416

Source: poky.org MR: 109686 Type: Security Fix Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=381aebe82f1f6fcc26b47966bc8520dbb1476961 ChangeID: 50b1589249cc3c595d224e3a8347da2b54339ef8 Description: Drop CVE-2021-3416_4.patch as hw/net/msf2-emac.c does not exist in 4.2.0 (From OE-Core rev: 7a3ce8a79a6c682e1b38f757eb68534e0ce5589d) (From OE-Core rev: 44bb99fdd1a7eee78078f7d48b9b8aad729f84ec) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e2b5bc11d1b26b73b62e1a63cb75572793282dcb) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 381aebe82f1f6fcc26b47966bc8520dbb1476961) [Drop CVE-2021-3416_4.patch, affected file does not exist in 4.2.0] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2021-08-20 16:55:19 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-01 16:27:09 +0100
commit: 4bd52d64c9581cc9a87a0b6b113575881566e5fc (patch)
tree: 84815aa7498a42d6df70817d6b270d0c03b72e89 /meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
parent: 474c37c17ee8c8938de58d03e71e9f6a67ed4471 (diff)
download: poky-4bd52d64c9581cc9a87a0b6b113575881566e5fc.tar.gz
1 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
new file mode 100644
index 0000000000..b3b702cca4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,42 @@
+From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Fri, 26 Feb 2021 13:47:53 -0500
+Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+This is intended to address CVE-2021-3416.
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
+CVE: CVE-2021-3416
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: qemu-4.2.0/hw/net/rtl8139.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/rtl8139.c
+++ qemu-4.2.0/hw/net/rtl8139.c
+@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL81
+         }
+ 
+         DPRINTF("+++ transmit loopback mode\n");
+-        rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
+        qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
+ 
+         if (iov) {
+             g_free(buf2);
author	Sakib Sajal <sakib.sajal@windriver.com>	2021-08-20 16:55:19 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-01 16:27:09 +0100
commit	4bd52d64c9581cc9a87a0b6b113575881566e5fc (patch)
tree	84815aa7498a42d6df70817d6b270d0c03b72e89 /meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
parent	474c37c17ee8c8938de58d03e71e9f6a67ed4471 (diff)
download	poky-4bd52d64c9581cc9a87a0b6b113575881566e5fc.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch new file mode 100644 index 0000000000..b3b702cca4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,42 @@
	1	From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
	2	From: Alexander Bulekov <alxndr@bu.edu>
	3	Date: Fri, 26 Feb 2021 13:47:53 -0500
	4	Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
	5	loopback
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	This patch switches to use qemu_receive_packet() which can detect
	11	reentrancy and return early.
	12
	13	This is intended to address CVE-2021-3416.
	14
	15	Cc: Prasad J Pandit <ppandit@redhat.com>
	16	Cc: qemu-stable@nongnu.org
	17	Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
	18	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
	19	Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
	20	Signed-off-by: Jason Wang <jasowang@redhat.com>
	21
	22	Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
	23	CVE: CVE-2021-3416
	24
	25	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	26	---
	27	hw/net/rtl8139.c \| 2 +-
	28	1 file changed, 1 insertion(+), 1 deletion(-)
	29
	30	Index: qemu-4.2.0/hw/net/rtl8139.c
	31	===================================================================
	32	--- qemu-4.2.0.orig/hw/net/rtl8139.c
	33	+++ qemu-4.2.0/hw/net/rtl8139.c
	34	@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL81
	35	}
	36
	37	DPRINTF("+++ transmit loopback mode\n");
	38	- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
	39	+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
	40
	41	if (iov) {
	42	g_free(buf2);