qemu: fix CVE-2016-7909

Backport patch to fix CVE-2016-7909 of qemu. Ref: https://security-tracker.debian.org/tracker/CVE-2016-7909 (From OE-Core rev: 126783ca25a5ae9daf87ac563239fbff4696a682) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2016-11-10 15:01:25 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-11-23 11:10:12 +0000
commit: 5acde3db0e1e63c173984bbae641c64fabc33f13 (patch)
tree: 2f0e4cbf0405d590a503bc3ce6b939c15a60bab6 /meta/recipes-devtools/qemu
parent: 40ae3ae8d1c6bd8bbcebdc4b7dd06e0552710648 (diff)
download: poky-5acde3db0e1e63c173984bbae641c64fabc33f13.tar.gz
2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
new file mode 100644
index 0000000000..e71bbf6205
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
@@ -0,0 +1,42 @@
+Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce]
+CVE: CVE-2016-7909
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 30 Sep 2016 00:27:33 +0530
+Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/pcnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 198a01f..3078de8 100644
+--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
+     case 47: /* POLLINT */
+     case 72:
+     case 74:
+        break;
+     case 76: /* RCVRL */
+     case 78: /* XMTRL */
+        val = (val > 0) ? val : 512;
+        break;
+     case 112:
+        if (CSR_STOP(s) || CSR_SPND(s))
+            break;
+-- 
+2.10.1
diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
index a75bcdfa0b..cef181dcea 100644
--- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
            file://0002-fix-CVE-2016-7423.patch \
            file://0003-fix-CVE-2016-7908.patch \
+            file://0004-fix-CVE-2016-7909.patch \
 "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
author	Kai Kang <kai.kang@windriver.com>	2016-11-10 15:01:25 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-11-23 11:10:12 +0000
commit	5acde3db0e1e63c173984bbae641c64fabc33f13 (patch)
tree	2f0e4cbf0405d590a503bc3ce6b939c15a60bab6 /meta/recipes-devtools/qemu
parent	40ae3ae8d1c6bd8bbcebdc4b7dd06e0552710648 (diff)
download	poky-5acde3db0e1e63c173984bbae641c64fabc33f13.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch new file mode 100644 index 0000000000..e71bbf6205 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
@@ -0,0 +1,42 @@
		1	Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce]
		2	CVE: CVE-2016-7909
		3
		4	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		5	---
		6	From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001
		7	From: Prasad J Pandit <pjp@fedoraproject.org>
		8	Date: Fri, 30 Sep 2016 00:27:33 +0530
		9	Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
		10
		11	The AMD PC-Net II emulator has set of control and status(CSR)
		12	registers. Of these, CSR76 and CSR78 hold receive and transmit
		13	descriptor ring length respectively. This ring length could range
		14	from 1 to 65535. Setting ring length to zero leads to an infinite
		15	loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
		16
		17	Reported-by: Li Qiang <liqiang6-s@360.cn>
		18	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		19	Signed-off-by: Jason Wang <jasowang@redhat.com>
		20	---
		21	hw/net/pcnet.c \| 3 +++
		22	1 file changed, 3 insertions(+)
		23
		24	diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
		25	index 198a01f..3078de8 100644
		26	--- a/hw/net/pcnet.c
		27	+++ b/hw/net/pcnet.c
		28	@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
		29	case 47: /* POLLINT */
		30	case 72:
		31	case 74:
		32	+ break;
		33	case 76: /* RCVRL */
		34	case 78: /* XMTRL */
		35	+ val = (val > 0) ? val : 512;
		36	+ break;
		37	case 112:
		38	if (CSR_STOP(s) \|\| CSR_SPND(s))
		39	break;
		40	--
		41	2.10.1
		42


diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb index a75bcdfa0b..cef181dcea 100644 --- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
12	file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \	12	file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
13	file://0002-fix-CVE-2016-7423.patch \	13	file://0002-fix-CVE-2016-7423.patch \
14	file://0003-fix-CVE-2016-7908.patch \	14	file://0003-fix-CVE-2016-7908.patch \
		15	file://0004-fix-CVE-2016-7909.patch \
15	"	16	"
16		17
17	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	18	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"