diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2016-11-03 14:18:00 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 13:14:20 +0100 |
commit | 485e244db8cc7d2c421e60a1ad3a2415a30852ee (patch) | |
tree | 22dfc5fe92e8c92fc8e3272ee82ae80ae019d966 /meta/recipes-devtools/qemu | |
parent | e8676b4f1a1ccb95597348b0fd42405dd679f02e (diff) | |
download | poky-485e244db8cc7d2c421e60a1ad3a2415a30852ee.tar.gz |
qemu: Security fix CVE-2016-4439
affects qemu < 2.7.0
Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation
support is vulnerable to an OOB write access issue. The controller uses
16-byte FIFO buffer for command and data transfer. The OOB write occurs
while writing to this command buffer in routine get_cmd().
A privileged user inside guest could use this flaw to crash the Qemu
process resulting in DoS.
References:
----------
http://www.openwall.com/lists/oss-security/2016/05/19/4
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4441
(From OE-Core rev: 1bc071172236ea020cac9db96e33de81950a15ff)
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch | 78 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 |
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch new file mode 100644 index 0000000000..3cbe394bfd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 19 May 2016 16:09:31 +0530 | ||
4 | Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441) | ||
5 | |||
6 | The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte | ||
7 | FIFO buffer. It is used to handle command and data transfer. | ||
8 | Routine get_cmd() uses DMA to read scsi commands into this buffer. | ||
9 | Add check to validate DMA length against buffer size to avoid any | ||
10 | overrun. | ||
11 | |||
12 | Fixes CVE-2016-4441. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
17 | Cc: qemu-stable@nongnu.org | ||
18 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
19 | Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> | ||
20 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
21 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
22 | --- | ||
23 | hw/scsi/esp.c | 11 +++++++---- | ||
24 | 1 files changed, 7 insertions(+), 4 deletions(-) | ||
25 | |||
26 | diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c | ||
27 | index 01497e6..591c817 100644 | ||
28 | --- a/hw/scsi/esp.c | ||
29 | +++ b/hw/scsi/esp.c | ||
30 | @@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) | ||
31 | } | ||
32 | } | ||
33 | |||
34 | -static uint32_t get_cmd(ESPState *s, uint8_t *buf) | ||
35 | +static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) | ||
36 | { | ||
37 | uint32_t dmalen; | ||
38 | int target; | ||
39 | @@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) | ||
40 | dmalen = s->rregs[ESP_TCLO]; | ||
41 | dmalen |= s->rregs[ESP_TCMID] << 8; | ||
42 | dmalen |= s->rregs[ESP_TCHI] << 16; | ||
43 | + if (dmalen > buflen) { | ||
44 | + return 0; | ||
45 | + } | ||
46 | s->dma_memory_read(s->dma_opaque, buf, dmalen); | ||
47 | } else { | ||
48 | dmalen = s->ti_size; | ||
49 | @@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) | ||
50 | s->dma_cb = handle_satn; | ||
51 | return; | ||
52 | } | ||
53 | - len = get_cmd(s, buf); | ||
54 | + len = get_cmd(s, buf, sizeof(buf)); | ||
55 | if (len) | ||
56 | do_cmd(s, buf); | ||
57 | } | ||
58 | @@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) | ||
59 | s->dma_cb = handle_s_without_atn; | ||
60 | return; | ||
61 | } | ||
62 | - len = get_cmd(s, buf); | ||
63 | + len = get_cmd(s, buf, sizeof(buf)); | ||
64 | if (len) { | ||
65 | do_busid_cmd(s, buf, 0); | ||
66 | } | ||
67 | @@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) | ||
68 | s->dma_cb = handle_satn_stop; | ||
69 | return; | ||
70 | } | ||
71 | - s->cmdlen = get_cmd(s, s->cmdbuf); | ||
72 | + s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); | ||
73 | if (s->cmdlen) { | ||
74 | trace_esp_handle_satn_stop(s->cmdlen); | ||
75 | s->do_cmd = 1; | ||
76 | -- | ||
77 | 1.7.0.4 | ||
78 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb index ed8d911ea6..58902b1988 100644 --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb | |||
@@ -26,6 +26,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
26 | file://CVE-2016-6351_p2.patch \ | 26 | file://CVE-2016-6351_p2.patch \ |
27 | file://CVE-2016-4002.patch \ | 27 | file://CVE-2016-4002.patch \ |
28 | file://CVE-2016-5403.patch \ | 28 | file://CVE-2016-5403.patch \ |
29 | file://CVE-2016-4441.patch \ | ||
29 | " | 30 | " |
30 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 31 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
31 | SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" | 32 | SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" |