qemu: fix CVE-2016-7423 and CVE-2016-7908

Backport patches to fix CVE-2016-7423 and CVE-2016-7908 of qemu. (From OE-Core rev: 1f4c303fd64a4bc05882de01676f241f0df6da78) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2016-10-26 17:54:50 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-11-06 23:35:35 +0000
commit: 8ce19e9e0bb320644d558e18ba2c8d91b3ef1e2e (patch)
tree: 9885cce5f46c4b395abf5c584ad3394e44b1c86e /meta/recipes-devtools/qemu
parent: 19be0e3f43c0d322c31b48986d7492a3c4f261a2 (diff)
download: poky-8ce19e9e0bb320644d558e18ba2c8d91b3ef1e2e.tar.gz
3 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
new file mode 100644
index 0000000000..fdf58a3d65
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
@@ -0,0 +1,45 @@
+Upstream-Status: Backport
+Backport patch to fix CVE-2016-7423 from:
+http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed
+CVE: CVE-2016-7423
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 12 Sep 2016 18:14:11 +0530
+Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
+When processing IO request in mptsas, it uses g_new to allocate
+a 'req' object. If an error occurs before 'req->sreq' is
+allocated, It could lead to an OOB write in mptsas_free_request
+function. Use g_new0 to avoid it.
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/mptsas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index 0e0a22f..eaae1bb 100644
+--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
+@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
+         goto bad;
+     }
+ 
+-    req = g_new(MPTSASRequest, 1);
+    req = g_new0(MPTSASRequest, 1);
+     QTAILQ_INSERT_TAIL(&s->pending, req, next);
+     req->scsi_io = *scsi_io;
+     req->dev = s;
+-- 
+2.9.3
diff --git a/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
new file mode 100644
index 0000000000..05cc3d9d13
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
@@ -0,0 +1,62 @@
+Upstream-Status: Backport
+Backport patch to fix CVE-2016-7908 from:
+http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8c
+CVE: CVE-2016-7908
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 22 Sep 2016 16:02:37 +0530
+Subject: [PATCH] net: mcf: limit buffer descriptor count
+ColdFire Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set upper limit to number of buffer descriptors.
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/mcf_fec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
+index 0ee8ad9..d31fea1 100644
+--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
+@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
+ #define DPRINTF(fmt, ...) do {} while(0)
+ #endif
+ 
+#define FEC_MAX_DESC 1024
+ #define FEC_MAX_FRAME_SIZE 2032
+ 
+ typedef struct {
+@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
+     uint32_t addr;
+     mcf_fec_bd bd;
+     int frame_size;
+-    int len;
+    int len, descnt = 0;
+     uint8_t frame[FEC_MAX_FRAME_SIZE];
+     uint8_t *ptr;
+ 
+@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
+     ptr = frame;
+     frame_size = 0;
+     addr = s->tx_descriptor;
+-    while (1) {
+    while (descnt++ < FEC_MAX_DESC) {
+         mcf_fec_read_bd(&bd, addr);
+         DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
+                 addr, bd.flags, bd.length, bd.data);
+-- 
+2.9.3
diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
index 90e4eecb10..a75bcdfa0b 100644
--- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -10,6 +10,8 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://pathlimit.patch \
            file://qemu-2.5.0-cflags.patch \
            file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
+            file://0002-fix-CVE-2016-7423.patch \
+            file://0003-fix-CVE-2016-7908.patch \
 "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
author	Kai Kang <kai.kang@windriver.com>	2016-10-26 17:54:50 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-11-06 23:35:35 +0000
commit	8ce19e9e0bb320644d558e18ba2c8d91b3ef1e2e (patch)
tree	9885cce5f46c4b395abf5c584ad3394e44b1c86e /meta/recipes-devtools/qemu
parent	19be0e3f43c0d322c31b48986d7492a3c4f261a2 (diff)
download	poky-8ce19e9e0bb320644d558e18ba2c8d91b3ef1e2e.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch new file mode 100644 index 0000000000..fdf58a3d65 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
@@ -0,0 +1,45 @@
		1	Upstream-Status: Backport
		2
		3	Backport patch to fix CVE-2016-7423 from:
		4
		5	http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed
		6
		7	CVE: CVE-2016-7423
		8
		9	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		10	---
		11	From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
		12	From: Li Qiang <liqiang6-s@360.cn>
		13	Date: Mon, 12 Sep 2016 18:14:11 +0530
		14	Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
		15
		16	When processing IO request in mptsas, it uses g_new to allocate
		17	a 'req' object. If an error occurs before 'req->sreq' is
		18	allocated, It could lead to an OOB write in mptsas_free_request
		19	function. Use g_new0 to avoid it.
		20
		21	Reported-by: Li Qiang <liqiang6-s@360.cn>
		22	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		23	Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
		24	Cc: qemu-stable@nongnu.org
		25	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		26	---
		27	hw/scsi/mptsas.c \| 2 +-
		28	1 file changed, 1 insertion(+), 1 deletion(-)
		29
		30	diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
		31	index 0e0a22f..eaae1bb 100644
		32	--- a/hw/scsi/mptsas.c
		33	+++ b/hw/scsi/mptsas.c
		34	@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
		35	goto bad;
		36	}
		37
		38	- req = g_new(MPTSASRequest, 1);
		39	+ req = g_new0(MPTSASRequest, 1);
		40	QTAILQ_INSERT_TAIL(&s->pending, req, next);
		41	req->scsi_io = *scsi_io;
		42	req->dev = s;
		43	--
		44	2.9.3
		45


diff --git a/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch new file mode 100644 index 0000000000..05cc3d9d13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
@@ -0,0 +1,62 @@
		1	Upstream-Status: Backport
		2
		3	Backport patch to fix CVE-2016-7908 from:
		4
		5	http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8c
		6
		7	CVE: CVE-2016-7908
		8
		9	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		10	---
		11	From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
		12	From: Prasad J Pandit <pjp@fedoraproject.org>
		13	Date: Thu, 22 Sep 2016 16:02:37 +0530
		14	Subject: [PATCH] net: mcf: limit buffer descriptor count
		15
		16	ColdFire Fast Ethernet Controller uses buffer descriptors to manage
		17	data flow to/fro receive & transmit queues. While transmitting
		18	packets, it could continue to read buffer descriptors if a buffer
		19	descriptor has length of zero and has crafted values in bd.flags.
		20	Set upper limit to number of buffer descriptors.
		21
		22	Reported-by: Li Qiang <liqiang6-s@360.cn>
		23	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		24	Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
		25	Signed-off-by: Jason Wang <jasowang@redhat.com>
		26	---
		27	hw/net/mcf_fec.c \| 5 +++--
		28	1 file changed, 3 insertions(+), 2 deletions(-)
		29
		30	diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
		31	index 0ee8ad9..d31fea1 100644
		32	--- a/hw/net/mcf_fec.c
		33	+++ b/hw/net/mcf_fec.c
		34	@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
		35	#define DPRINTF(fmt, ...) do {} while(0)
		36	#endif
		37
		38	+#define FEC_MAX_DESC 1024
		39	#define FEC_MAX_FRAME_SIZE 2032
		40
		41	typedef struct {
		42	@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
		43	uint32_t addr;
		44	mcf_fec_bd bd;
		45	int frame_size;
		46	- int len;
		47	+ int len, descnt = 0;
		48	uint8_t frame[FEC_MAX_FRAME_SIZE];
		49	uint8_t *ptr;
		50
		51	@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
		52	ptr = frame;
		53	frame_size = 0;
		54	addr = s->tx_descriptor;
		55	- while (1) {
		56	+ while (descnt++ < FEC_MAX_DESC) {
		57	mcf_fec_read_bd(&bd, addr);
		58	DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
		59	addr, bd.flags, bd.length, bd.data);
		60	--
		61	2.9.3
		62


diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb index 90e4eecb10..a75bcdfa0b 100644 --- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -10,6 +10,8 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
10	file://pathlimit.patch \	10	file://pathlimit.patch \
11	file://qemu-2.5.0-cflags.patch \	11	file://qemu-2.5.0-cflags.patch \
12	file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \	12	file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
		13	file://0002-fix-CVE-2016-7423.patch \
		14	file://0003-fix-CVE-2016-7908.patch \
13	"	15	"
14		16
15	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	17	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"