diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:29:37 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:29:37 +0200 |
commit | c190b396d5d2b0ce2caabf7366f3b08546187f11 (patch) | |
tree | 5a0748d0fe6581dd4c8eaf9dbdefe498bf9a0e64 /meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch | |
parent | e8be346c3a210a1b4da8b6943c5fe2e5556d29b9 (diff) | |
download | poky-c190b396d5d2b0ce2caabf7366f3b08546187f11.tar.gz |
qemu: fixed multiple CVEs
CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access
CVE-2014-5263, missing field list terminator in vmstate_xhci_event
CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle
functions
CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch new file mode 100644 index 0000000000..ef70c16423 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001 | ||
2 | From: Laszlo Ersek <lersek@redhat.com> | ||
3 | Date: Tue, 22 Jul 2014 17:26:41 +0200 | ||
4 | Subject: [PATCH] vmstate_xhci_event: fix unterminated field list | ||
5 | |||
6 | "vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live | ||
7 | migration support"), and first released in v1.6.0. The field list in this | ||
8 | VMSD is not terminated with the VMSTATE_END_OF_LIST() macro. | ||
9 | |||
10 | During normal use (ie. migration), the issue is practically invisible, | ||
11 | because the "vmstate_xhci_event" object (with the unterminated field list) | ||
12 | is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full() | ||
13 | returns true, for the "ev_buffer" test. Since that field_exists() check | ||
14 | (apparently) almost always returns false, we almost never traverse | ||
15 | "vmstate_xhci_event" during migration, which hides the bug. | ||
16 | |||
17 | However, Amit's vmstate checker forces recursion into this VMSD as well, | ||
18 | and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator | ||
19 | check (field->name != NULL) in dump_vmstate_vmsd(). The result is | ||
20 | undefined behavior, which in my case translates to infinite recursion | ||
21 | (because the loop happens to overflow into "vmstate_xhci_intr", which then | ||
22 | links back to "vmstate_xhci_event"). | ||
23 | |||
24 | Add the missing terminator. | ||
25 | |||
26 | Fixes CVE-2014-5263. | ||
27 | Upstream-Status: Backport | ||
28 | |||
29 | Signed-off-by: Laszlo Ersek <lersek@redhat.com> | ||
30 | Reviewed-by: Amit Shah <amit.shah@redhat.com> | ||
31 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
32 | Cc: qemu-stable@nongnu.org | ||
33 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
34 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
35 | --- | ||
36 | hw/usb/hcd-xhci.c | 1 + | ||
37 | 1 file changed, 1 insertion(+) | ||
38 | |||
39 | diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c | ||
40 | index 835f65e..745617e 100644 | ||
41 | --- a/hw/usb/hcd-xhci.c | ||
42 | +++ b/hw/usb/hcd-xhci.c | ||
43 | @@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = { | ||
44 | VMSTATE_UINT32(flags, XHCIEvent), | ||
45 | VMSTATE_UINT8(slotid, XHCIEvent), | ||
46 | VMSTATE_UINT8(epid, XHCIEvent), | ||
47 | + VMSTATE_END_OF_LIST() | ||
48 | } | ||
49 | }; | ||
50 | |||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||