diff options
author | Kai Kang <kai.kang@windriver.com> | 2019-03-15 04:01:19 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-19 15:28:52 +0000 |
commit | 2f7749c12f7394be81433577220688034eaafab8 (patch) | |
tree | 20316204ba0cf08cb1edaa17c908b07ecccd5c9b /meta/recipes-devtools | |
parent | a9b2f3561ee0fbe9db08ebbba63e69699cdd049a (diff) | |
download | poky-2f7749c12f7394be81433577220688034eaafab8.tar.gz |
qemu: backport patches to fix cves
CVE: CVE-2018-16872
CVE: CVE-2018-20124
CVE: CVE-2018-20125
CVE: CVE-2018-20126
CVE: CVE-2018-20191
CVE: CVE-2018-20216
Patches 0015-fix-CVE-2018-20124.patch and 0017-fix-CVE-2018-20126.patch
are rebased on current source code. Others are not modified.
(From OE-Core rev: 489ece1aa90d8f76b4c1f009d837f82e38e11ba9)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
7 files changed, 450 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 985289f542..2babfe4c6f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -23,6 +23,12 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
23 | file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ | 23 | file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ |
24 | file://0001-Add-a-missing-X11-include.patch \ | 24 | file://0001-Add-a-missing-X11-include.patch \ |
25 | file://0001-egl-headless-add-egl_create_context.patch \ | 25 | file://0001-egl-headless-add-egl_create_context.patch \ |
26 | file://0014-fix-CVE-2018-16872.patch \ | ||
27 | file://0015-fix-CVE-2018-20124.patch \ | ||
28 | file://0016-fix-CVE-2018-20125.patch \ | ||
29 | file://0017-fix-CVE-2018-20126.patch \ | ||
30 | file://0018-fix-CVE-2018-20191.patch \ | ||
31 | file://0019-fix-CVE-2018-20216.patch \ | ||
26 | " | 32 | " |
27 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 33 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
28 | 34 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch new file mode 100644 index 0000000000..412aa16046 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | CVE: CVE-2018-16872 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35] | ||
3 | |||
4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
5 | |||
6 | From bab9df35ce73d1c8e19a37e2737717ea1c984dc1 Mon Sep 17 00:00:00 2001 | ||
7 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
8 | Date: Thu, 13 Dec 2018 13:25:11 +0100 | ||
9 | Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. | ||
10 | |||
11 | Open files and directories with O_NOFOLLOW to avoid symlinks attacks. | ||
12 | While being at it also add O_CLOEXEC. | ||
13 | |||
14 | usb-mtp only handles regular files and directories and ignores | ||
15 | everything else, so users should not see a difference. | ||
16 | |||
17 | Because qemu ignores symlinks, carrying out a successful symlink attack | ||
18 | requires swapping an existing file or directory below rootdir for a | ||
19 | symlink and winning the race against the inotify notification to qemu. | ||
20 | |||
21 | Fixes: CVE-2018-16872 | ||
22 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
23 | Cc: Bandan Das <bsd@redhat.com> | ||
24 | Reported-by: Michael Hanselmann <public@hansmi.ch> | ||
25 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
26 | Reviewed-by: Michael Hanselmann <public@hansmi.ch> | ||
27 | Message-id: 20181213122511.13853-1-kraxel@redhat.com | ||
28 | --- | ||
29 | hw/usb/dev-mtp.c | 13 +++++++++---- | ||
30 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
31 | |||
32 | diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c | ||
33 | index 100b7171f4..36c43b8c20 100644 | ||
34 | --- a/hw/usb/dev-mtp.c | ||
35 | +++ b/hw/usb/dev-mtp.c | ||
36 | @@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) | ||
37 | { | ||
38 | struct dirent *entry; | ||
39 | DIR *dir; | ||
40 | + int fd; | ||
41 | |||
42 | if (o->have_children) { | ||
43 | return; | ||
44 | } | ||
45 | o->have_children = true; | ||
46 | |||
47 | - dir = opendir(o->path); | ||
48 | + fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); | ||
49 | + if (fd < 0) { | ||
50 | + return; | ||
51 | + } | ||
52 | + dir = fdopendir(fd); | ||
53 | if (!dir) { | ||
54 | return; | ||
55 | } | ||
56 | @@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, | ||
57 | |||
58 | trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); | ||
59 | |||
60 | - d->fd = open(o->path, O_RDONLY); | ||
61 | + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); | ||
62 | if (d->fd == -1) { | ||
63 | usb_mtp_data_free(d); | ||
64 | return NULL; | ||
65 | @@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, | ||
66 | c->argv[1], c->argv[2]); | ||
67 | |||
68 | d = usb_mtp_data_alloc(c); | ||
69 | - d->fd = open(o->path, O_RDONLY); | ||
70 | + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); | ||
71 | if (d->fd == -1) { | ||
72 | usb_mtp_data_free(d); | ||
73 | return NULL; | ||
74 | @@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) | ||
75 | 0, 0, 0, 0); | ||
76 | goto done; | ||
77 | } | ||
78 | - d->fd = open(path, O_CREAT | O_WRONLY, mask); | ||
79 | + d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); | ||
80 | if (d->fd == -1) { | ||
81 | usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, | ||
82 | 0, 0, 0, 0); | ||
83 | -- | ||
84 | 2.20.1 | ||
85 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch new file mode 100644 index 0000000000..ad846958a7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | CVE: CVE-2018-20124 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373] | ||
3 | |||
4 | Backport patch to fix CVE-2018-20124. Update context and stay with current | ||
5 | function comp_handler() which has been replaced with complete_work() in latest | ||
6 | git repo. | ||
7 | |||
8 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
9 | |||
10 | From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001 | ||
11 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | Date: Thu, 13 Dec 2018 01:00:34 +0530 | ||
13 | Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE | ||
14 | |||
15 | rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set | ||
16 | to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element | ||
17 | with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue. | ||
18 | Add check to avoid it. | ||
19 | |||
20 | Reported-by: Saar Amar <saaramar5@gmail.com> | ||
21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
22 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
23 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
24 | --- | ||
25 | hw/rdma/rdma_backend.c | 12 ++++++------ | ||
26 | 1 file changed, 6 insertions(+), 6 deletions(-) | ||
27 | |||
28 | diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c | ||
29 | index d7a4bbd9..7f8028f8 100644 | ||
30 | --- a/hw/rdma/rdma_backend.c | ||
31 | +++ b/hw/rdma/rdma_backend.c | ||
32 | @@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev, | ||
33 | } | ||
34 | |||
35 | pr_dbg("num_sge=%d\n", num_sge); | ||
36 | - if (!num_sge) { | ||
37 | - pr_dbg("num_sge=0\n"); | ||
38 | - comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
39 | + if (!num_sge || num_sge > MAX_SGE) { | ||
40 | + pr_dbg("invalid num_sge=%d\n", num_sge); | ||
41 | + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx); | ||
42 | return; | ||
43 | } | ||
44 | |||
45 | @@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev, | ||
46 | } | ||
47 | |||
48 | pr_dbg("num_sge=%d\n", num_sge); | ||
49 | - if (!num_sge) { | ||
50 | - pr_dbg("num_sge=0\n"); | ||
51 | - comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
52 | + if (!num_sge || num_sge > MAX_SGE) { | ||
53 | + pr_dbg("invalid num_sge=%d\n", num_sge); | ||
54 | + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | -- | ||
59 | 2.20.1 | ||
60 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch new file mode 100644 index 0000000000..56559c8388 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | CVE: CVE-2018-20125 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce] | ||
3 | |||
4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
5 | |||
6 | From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001 | ||
7 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
8 | Date: Thu, 13 Dec 2018 01:00:36 +0530 | ||
9 | Subject: [PATCH] pvrdma: check number of pages when creating rings | ||
10 | |||
11 | When creating CQ/QP rings, an object can have up to | ||
12 | PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter | ||
13 | to avoid excessive memory allocation or a null dereference. | ||
14 | |||
15 | Reported-by: Li Qiang <liq3ea@163.com> | ||
16 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
17 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
18 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
19 | --- | ||
20 | hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++ | ||
21 | 1 file changed, 11 insertions(+) | ||
22 | |||
23 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
24 | index 3b94545761..f236ac4795 100644 | ||
25 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
26 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
27 | @@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring, | ||
28 | int rc = -EINVAL; | ||
29 | char ring_name[MAX_RING_NAME_SZ]; | ||
30 | |||
31 | + if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { | ||
32 | + pr_dbg("invalid nchunks: %d\n", nchunks); | ||
33 | + return rc; | ||
34 | + } | ||
35 | + | ||
36 | pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); | ||
37 | dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); | ||
38 | if (!dir) { | ||
39 | @@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma, | ||
40 | char ring_name[MAX_RING_NAME_SZ]; | ||
41 | uint32_t wqe_sz; | ||
42 | |||
43 | + if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES | ||
44 | + || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { | ||
45 | + pr_dbg("invalid pages: %d, %d\n", spages, rpages); | ||
46 | + return rc; | ||
47 | + } | ||
48 | + | ||
49 | pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); | ||
50 | dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); | ||
51 | if (!dir) { | ||
52 | -- | ||
53 | 2.20.1 | ||
54 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch new file mode 100644 index 0000000000..8329f2cfd0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | CVE: CVE-2018-20126 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c] | ||
3 | |||
4 | Backport and rebase patch to fix CVE-2018-20126. | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001 | ||
9 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
10 | Date: Thu, 13 Dec 2018 01:00:37 +0530 | ||
11 | Subject: [PATCH] pvrdma: release ring object in case of an error | ||
12 | |||
13 | create_cq and create_qp routines allocate ring object, but it's | ||
14 | not released in case of an error, leading to memory leakage. | ||
15 | |||
16 | Reported-by: Li Qiang <liq3ea@163.com> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
19 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
20 | --- | ||
21 | hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++----------- | ||
22 | 1 file changed, 30 insertions(+), 11 deletions(-) | ||
23 | |||
24 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
25 | index 4faeb21..9b6796f 100644 | ||
26 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
27 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
28 | @@ -310,6 +310,14 @@ out: | ||
29 | return rc; | ||
30 | } | ||
31 | |||
32 | +static void destroy_cq_ring(PvrdmaRing *ring) | ||
33 | +{ | ||
34 | + pvrdma_ring_free(ring); | ||
35 | + /* ring_state was in slot 1, not 0 so need to jump back */ | ||
36 | + rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE); | ||
37 | + g_free(ring); | ||
38 | +} | ||
39 | + | ||
40 | static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
41 | union pvrdma_cmd_resp *rsp) | ||
42 | { | ||
43 | @@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
44 | |||
45 | resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev, | ||
46 | cmd->cqe, &resp->cq_handle, ring); | ||
47 | + if (resp->hdr.err) { | ||
48 | + destroy_cq_ring(ring); | ||
49 | + } | ||
50 | + | ||
51 | resp->cqe = cmd->cqe; | ||
52 | |||
53 | out: | ||
54 | @@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
55 | } | ||
56 | |||
57 | ring = (PvrdmaRing *)cq->opaque; | ||
58 | - pvrdma_ring_free(ring); | ||
59 | - /* ring_state was in slot 1, not 0 so need to jump back */ | ||
60 | - rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE); | ||
61 | - g_free(ring); | ||
62 | + destroy_cq_ring(ring); | ||
63 | |||
64 | rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle); | ||
65 | |||
66 | @@ -451,6 +460,17 @@ out: | ||
67 | return rc; | ||
68 | } | ||
69 | |||
70 | +static void destroy_qp_rings(PvrdmaRing *ring) | ||
71 | +{ | ||
72 | + pr_dbg("sring=%p\n", &ring[0]); | ||
73 | + pvrdma_ring_free(&ring[0]); | ||
74 | + pr_dbg("rring=%p\n", &ring[1]); | ||
75 | + pvrdma_ring_free(&ring[1]); | ||
76 | + | ||
77 | + rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE); | ||
78 | + g_free(ring); | ||
79 | +} | ||
80 | + | ||
81 | static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
82 | union pvrdma_cmd_resp *rsp) | ||
83 | { | ||
84 | @@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
85 | cmd->max_recv_wr, cmd->max_recv_sge, | ||
86 | cmd->recv_cq_handle, rings, &resp->qpn); | ||
87 | |||
88 | + if (resp->hdr.err) { | ||
89 | + destroy_qp_rings(rings); | ||
90 | + return resp->hdr.err; | ||
91 | + } | ||
92 | + | ||
93 | resp->max_send_wr = cmd->max_send_wr; | ||
94 | resp->max_recv_wr = cmd->max_recv_wr; | ||
95 | resp->max_send_sge = cmd->max_send_sge; | ||
96 | @@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
97 | rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle); | ||
98 | |||
99 | ring = (PvrdmaRing *)qp->opaque; | ||
100 | - pr_dbg("sring=%p\n", &ring[0]); | ||
101 | - pvrdma_ring_free(&ring[0]); | ||
102 | - pr_dbg("rring=%p\n", &ring[1]); | ||
103 | - pvrdma_ring_free(&ring[1]); | ||
104 | - | ||
105 | - rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE); | ||
106 | - g_free(ring); | ||
107 | + destroy_qp_rings(ring); | ||
108 | |||
109 | return 0; | ||
110 | } | ||
111 | -- | ||
112 | 2.20.1 | ||
113 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch b/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch new file mode 100644 index 0000000000..8f8ff0567a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | CVE: CVE-2018-20191 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2aa8645] | ||
3 | |||
4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
5 | |||
6 | From 2aa86456fb938a11f2b7bd57c8643c213218681c Mon Sep 17 00:00:00 2001 | ||
7 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
8 | Date: Thu, 13 Dec 2018 01:00:35 +0530 | ||
9 | Subject: [PATCH] pvrdma: add uar_read routine | ||
10 | |||
11 | Define skeleton 'uar_read' routine. Avoid NULL dereference. | ||
12 | |||
13 | Reported-by: Li Qiang <liq3ea@163.com> | ||
14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
15 | Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
16 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
17 | --- | ||
18 | hw/rdma/vmw/pvrdma_main.c | 6 ++++++ | ||
19 | 1 file changed, 6 insertions(+) | ||
20 | |||
21 | diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c | ||
22 | index 64de16fb52..838ad8a949 100644 | ||
23 | --- a/hw/rdma/vmw/pvrdma_main.c | ||
24 | +++ b/hw/rdma/vmw/pvrdma_main.c | ||
25 | @@ -448,6 +448,11 @@ static const MemoryRegionOps regs_ops = { | ||
26 | }, | ||
27 | }; | ||
28 | |||
29 | +static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size) | ||
30 | +{ | ||
31 | + return 0xffffffff; | ||
32 | +} | ||
33 | + | ||
34 | static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) | ||
35 | { | ||
36 | PVRDMADev *dev = opaque; | ||
37 | @@ -489,6 +494,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) | ||
38 | } | ||
39 | |||
40 | static const MemoryRegionOps uar_ops = { | ||
41 | + .read = uar_read, | ||
42 | .write = uar_write, | ||
43 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
44 | .impl = { | ||
45 | -- | ||
46 | 2.20.1 | ||
47 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch new file mode 100644 index 0000000000..c02bad3bb9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | CVE: CVE-2018-20216 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38] | ||
3 | |||
4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
5 | |||
6 | From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001 | ||
7 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
8 | Date: Thu, 13 Dec 2018 01:00:39 +0530 | ||
9 | Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines | ||
10 | |||
11 | pvrdma_idx_ring_has_[data/space] routines also return invalid | ||
12 | index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check | ||
13 | return value from these routines to avoid plausible infinite loops. | ||
14 | |||
15 | Reported-by: Li Qiang <liq3ea@163.com> | ||
16 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
17 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
18 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
19 | --- | ||
20 | hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------ | ||
21 | 1 file changed, 11 insertions(+), 18 deletions(-) | ||
22 | |||
23 | diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c | ||
24 | index 01247fc041..e8e5b502f6 100644 | ||
25 | --- a/hw/rdma/vmw/pvrdma_dev_ring.c | ||
26 | +++ b/hw/rdma/vmw/pvrdma_dev_ring.c | ||
27 | @@ -73,23 +73,16 @@ out: | ||
28 | |||
29 | void *pvrdma_ring_next_elem_read(PvrdmaRing *ring) | ||
30 | { | ||
31 | + int e; | ||
32 | unsigned int idx = 0, offset; | ||
33 | |||
34 | - /* | ||
35 | - pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail, | ||
36 | - ring->ring_state->cons_head); | ||
37 | - */ | ||
38 | - | ||
39 | - if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) { | ||
40 | + e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx); | ||
41 | + if (e <= 0) { | ||
42 | pr_dbg("No more data in ring\n"); | ||
43 | return NULL; | ||
44 | } | ||
45 | |||
46 | offset = idx * ring->elem_sz; | ||
47 | - /* | ||
48 | - pr_dbg("idx=%d\n", idx); | ||
49 | - pr_dbg("offset=%d\n", offset); | ||
50 | - */ | ||
51 | return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE); | ||
52 | } | ||
53 | |||
54 | @@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring) | ||
55 | |||
56 | void *pvrdma_ring_next_elem_write(PvrdmaRing *ring) | ||
57 | { | ||
58 | - unsigned int idx, offset, tail; | ||
59 | + int idx; | ||
60 | + unsigned int offset, tail; | ||
61 | |||
62 | - /* | ||
63 | - pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail, | ||
64 | - ring->ring_state->cons_head); | ||
65 | - */ | ||
66 | - | ||
67 | - if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) { | ||
68 | + idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail); | ||
69 | + if (idx <= 0) { | ||
70 | pr_dbg("CQ is full\n"); | ||
71 | return NULL; | ||
72 | } | ||
73 | |||
74 | idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems); | ||
75 | - /* TODO: tail == idx */ | ||
76 | + if (idx < 0 || tail != idx) { | ||
77 | + pr_dbg("invalid idx\n"); | ||
78 | + return NULL; | ||
79 | + } | ||
80 | |||
81 | offset = idx * ring->elem_sz; | ||
82 | return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE); | ||
83 | -- | ||
84 | 2.20.1 | ||
85 | |||