summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2021-06-25 13:51:39 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-06-27 08:38:34 +0100
commit8444eacecd1ae08f85b5d6d0f487d9fda2a0dfdb (patch)
tree2084e82f5c9fff1c45df26f9f3364ab23cc07f5d /meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
parentf0b9303004a80f10828bbf936fc8b2aa70f0f2b4 (diff)
downloadpoky-8444eacecd1ae08f85b5d6d0f487d9fda2a0dfdb.tar.gz
qemu: fix CVE-2021-3527
(From OE-Core rev: 6774efd1e3d0bd5c8c34f84dcf4f698d7eafb36a) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch42
1 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
new file mode 100644
index 0000000000..77a5385692
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
@@ -0,0 +1,42 @@
1From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Mon, 3 May 2021 15:29:15 +0200
4Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
5
6usb-host and usb-redirect try to batch bulk transfers by combining many
7small usb packets into a single, large transfer request, to reduce the
8overhead and improve performance.
9
10This patch adds a size limit of 1 MiB for those combined packets to
11restrict the host resources the guest can bind that way.
12
13Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
14Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
15
16Upstream-Status: Backport
17https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
18CVE: CVE-2021-3527
19Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
20
21---
22 hw/usb/combined-packet.c | 4 +++-
23 1 file changed, 3 insertions(+), 1 deletion(-)
24
25diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
26index 5d57e883dc..e56802f89a 100644
27--- a/hw/usb/combined-packet.c
28+++ b/hw/usb/combined-packet.c
29@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
30 if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
31 next == NULL ||
32 /* Work around for Linux usbfs bulk splitting + migration */
33- (totalsize == (16 * KiB - 36) && p->int_req)) {
34+ (totalsize == (16 * KiB - 36) && p->int_req) ||
35+ /* Next package may grow combined package over 1MiB */
36+ totalsize > 1 * MiB - ep->max_packet_size) {
37 usb_device_handle_data(ep->dev, first);
38 assert(first->status == USB_RET_ASYNC);
39 if (first->combined) {
40--
41GitLab
42