diff options
author | Chee Yang Lee <chee.yang.lee@intel.com> | 2023-03-21 11:40:23 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-04-01 20:23:23 +0100 |
commit | 72707c04e10248640328dd39afe55ba08195965d (patch) | |
tree | 9d675807dc06d19e792546938aa2e5f929092490 /meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch | |
parent | f76c7b8e6366129a2550417ed6f091717d897a81 (diff) | |
download | poky-72707c04e10248640328dd39afe55ba08195965d.tar.gz |
qemu: fix multple CVEs
import patches from ubuntu to fix
CVE-2020-15469
CVE-2020-15859
CVE-2020-17380
CVE-2020-35504
CVE-2020-35505
CVE-2021-3409
CVE-2022-26354
https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches?h=ubuntu/focal-security
Combine patches for both CVE-2020-25085 and CVE-2021-3409 also fix CVE-2020-17380.
so mark CVE-2020-17380 fixed by CVE-2021-3409 patches. CVE-2020-17380 patch backported since
oecore rev 6b4c58a31ec11e557d40c31f2532985dd53e61eb.
(From OE-Core rev: 3ee2e9027d57dd5ae9f8795436c1acd18a9f1e24)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch new file mode 100644 index 0000000000..fc4d6cf3df --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001 | ||
4 | From: Stefano Garzarella <sgarzare@redhat.com> | ||
5 | Date: Mon, 28 Feb 2022 10:50:58 +0100 | ||
6 | Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error | ||
7 | |||
8 | In vhost_vsock_common_send_transport_reset(), if an element popped from | ||
9 | the virtqueue is invalid, we should call virtqueue_detach_element() to | ||
10 | detach it from the virtqueue before freeing its memory. | ||
11 | |||
12 | Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") | ||
13 | Fixes: CVE-2022-26354 | ||
14 | Cc: qemu-stable@nongnu.org | ||
15 | Reported-by: VictorV <vv474172261@gmail.com> | ||
16 | Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> | ||
17 | Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> | ||
18 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
19 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
21 | |||
22 | CVE: CVE-2022-26354 | ||
23 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2022-26354.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf ] | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | hw/virtio/vhost-vsock-common.c | 10 +++++++--- | ||
27 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
28 | |||
29 | --- a/hw/virtio/vhost-vsock.c | ||
30 | +++ b/hw/virtio/vhost-vsock.c | ||
31 | @@ -221,19 +221,23 @@ static void vhost_vsock_send_transport_r | ||
32 | if (elem->out_num) { | ||
33 | error_report("invalid vhost-vsock event virtqueue element with " | ||
34 | "out buffers"); | ||
35 | - goto out; | ||
36 | + goto err; | ||
37 | } | ||
38 | |||
39 | if (iov_from_buf(elem->in_sg, elem->in_num, 0, | ||
40 | &event, sizeof(event)) != sizeof(event)) { | ||
41 | error_report("vhost-vsock event virtqueue element is too short"); | ||
42 | - goto out; | ||
43 | + goto err; | ||
44 | } | ||
45 | |||
46 | virtqueue_push(vq, elem, sizeof(event)); | ||
47 | virtio_notify(VIRTIO_DEVICE(vsock), vq); | ||
48 | |||
49 | -out: | ||
50 | + g_free(elem); | ||
51 | + return; | ||
52 | + | ||
53 | +err: | ||
54 | + virtqueue_detach_element(vq, elem, 0); | ||
55 | g_free(elem); | ||
56 | } | ||
57 | |||