diff options
| author | Lee Chee Yang <chee.yang.lee@intel.com> | 2021-06-25 13:51:39 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-06-27 08:38:34 +0100 |
| commit | 8444eacecd1ae08f85b5d6d0f487d9fda2a0dfdb (patch) | |
| tree | 2084e82f5c9fff1c45df26f9f3364ab23cc07f5d /meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch | |
| parent | f0b9303004a80f10828bbf936fc8b2aa70f0f2b4 (diff) | |
| download | poky-8444eacecd1ae08f85b5d6d0f487d9fda2a0dfdb.tar.gz | |
qemu: fix CVE-2021-3527
(From OE-Core rev: 6774efd1e3d0bd5c8c34f84dcf4f698d7eafb36a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch new file mode 100644 index 0000000000..77a5385692 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch | |||
| @@ -0,0 +1,42 @@ | |||
| 1 | From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
| 3 | Date: Mon, 3 May 2021 15:29:15 +0200 | ||
| 4 | Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) | ||
| 5 | |||
| 6 | usb-host and usb-redirect try to batch bulk transfers by combining many | ||
| 7 | small usb packets into a single, large transfer request, to reduce the | ||
| 8 | overhead and improve performance. | ||
| 9 | |||
| 10 | This patch adds a size limit of 1 MiB for those combined packets to | ||
| 11 | restrict the host resources the guest can bind that way. | ||
| 12 | |||
| 13 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 14 | Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> | ||
| 15 | |||
| 16 | Upstream-Status: Backport | ||
| 17 | https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c | ||
| 18 | CVE: CVE-2021-3527 | ||
| 19 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
| 20 | |||
| 21 | --- | ||
| 22 | hw/usb/combined-packet.c | 4 +++- | ||
| 23 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
| 24 | |||
| 25 | diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c | ||
| 26 | index 5d57e883dc..e56802f89a 100644 | ||
| 27 | --- a/hw/usb/combined-packet.c | ||
| 28 | +++ b/hw/usb/combined-packet.c | ||
| 29 | @@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) | ||
| 30 | if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || | ||
| 31 | next == NULL || | ||
| 32 | /* Work around for Linux usbfs bulk splitting + migration */ | ||
| 33 | - (totalsize == (16 * KiB - 36) && p->int_req)) { | ||
| 34 | + (totalsize == (16 * KiB - 36) && p->int_req) || | ||
| 35 | + /* Next package may grow combined package over 1MiB */ | ||
| 36 | + totalsize > 1 * MiB - ep->max_packet_size) { | ||
| 37 | usb_device_handle_data(ep->dev, first); | ||
| 38 | assert(first->status == USB_RET_ASYNC); | ||
| 39 | if (first->combined) { | ||
| 40 | -- | ||
| 41 | GitLab | ||
| 42 | |||