diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-08-18 10:45:56 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-01 21:37:29 +0100 |
commit | db031c40bbcf0900bd72946f97128d14f97be98f (patch) | |
tree | 4d1bbb27004c02485504e796295bf1b7f94314b9 /meta/recipes-devtools | |
parent | b64eae5767dbea2d7d85a0a281e1a25efe91d157 (diff) | |
download | poky-db031c40bbcf0900bd72946f97128d14f97be98f.tar.gz |
qemu: CVE-2014-7840
Fixes insufficient parameter validation during ram load
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840
Upstream commit:
http://git.qemu.org/?p=qemu.git;a=commit;
h=0be839a2701369f669532ea5884c15bead1c6e08
(From OE-Core rev: 0bd4b0c7ede8a52559e4bf05085a3f0d46a0a280)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch | 57 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 |
2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch new file mode 100644 index 0000000000..4f992bae14 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Michael S. Tsirkin" <mst@redhat.com> | ||
3 | Date: Wed, 12 Nov 2014 11:44:39 +0200 | ||
4 | Subject: [PATCH] migration: fix parameter validation on ram load | ||
5 | |||
6 | During migration, the values read from migration stream during ram load | ||
7 | are not validated. Especially offset in host_from_stream_offset() and | ||
8 | also the length of the writes in the callers of said function. | ||
9 | |||
10 | To fix this, we need to make sure that the [offset, offset + length] | ||
11 | range fits into one of the allocated memory regions. | ||
12 | |||
13 | Validating addr < len should be sufficient since data seems to always be | ||
14 | managed in TARGET_PAGE_SIZE chunks. | ||
15 | |||
16 | Fixes: CVE-2014-7840 | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Note: follow-up patches add extra checks on each block->host access. | ||
21 | |||
22 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
24 | Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
25 | Signed-off-by: Amit Shah <amit.shah@redhat.com> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | arch_init.c | 5 +++-- | ||
29 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/arch_init.c b/arch_init.c | ||
32 | index 88a5ba0..593a990 100644 | ||
33 | --- a/arch_init.c | ||
34 | +++ b/arch_init.c | ||
35 | @@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f, | ||
36 | uint8_t len; | ||
37 | |||
38 | if (flags & RAM_SAVE_FLAG_CONTINUE) { | ||
39 | - if (!block) { | ||
40 | + if (!block || block->length <= offset) { | ||
41 | error_report("Ack, bad migration stream!"); | ||
42 | return NULL; | ||
43 | } | ||
44 | @@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f, | ||
45 | id[len] = 0; | ||
46 | |||
47 | QTAILQ_FOREACH(block, &ram_list.blocks, next) { | ||
48 | - if (!strncmp(id, block->idstr, sizeof(id))) | ||
49 | + if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) { | ||
50 | return memory_region_get_ram_ptr(block->mr) + offset; | ||
51 | + } | ||
52 | } | ||
53 | |||
54 | error_report("Can't find block %s!", id); | ||
55 | -- | ||
56 | 1.9.1 | ||
57 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb index d0ce74458b..5e5ecf00db 100644 --- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb | |||
@@ -8,6 +8,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ | 8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ |
9 | file://0001-Back-porting-security-fix-CVE-2014-5388.patch \ | 9 | file://0001-Back-porting-security-fix-CVE-2014-5388.patch \ |
10 | file://qemu-CVE-2015-3456.patch \ | 10 | file://qemu-CVE-2015-3456.patch \ |
11 | file://CVE-2014-7840.patch \ | ||
11 | " | 12 | " |
12 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 13 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
13 | SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b" | 14 | SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b" |