diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-08-06 17:46:18 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-08 09:17:48 +0100 |
commit | d3c60cde03fd7de11776ec04ff50c61b6e1f6140 (patch) | |
tree | 0fe20d1bc3414fcf5c47fb0a37273782b78ceb68 /meta/recipes-devtools | |
parent | 6ec51d096ecd45a713cb4ca71ee70930a40749e7 (diff) | |
download | poky-d3c60cde03fd7de11776ec04ff50c61b6e1f6140.tar.gz |
qemu : fix CVE-2020-15863
(From OE-Core rev: 4d44369c7e65b110412e96c86b51d9791d94cb05)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch | 63 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b1c822b1a8..56df73c067 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -36,6 +36,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
36 | file://CVE-2020-13659.patch \ | 36 | file://CVE-2020-13659.patch \ |
37 | file://CVE-2020-13800.patch \ | 37 | file://CVE-2020-13800.patch \ |
38 | file://CVE-2020-13791.patch \ | 38 | file://CVE-2020-13791.patch \ |
39 | file://CVE-2020-15863.patch \ | ||
39 | " | 40 | " |
40 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 41 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
41 | 42 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..1505c7eed0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Fri, 10 Jul 2020 11:19:41 +0200 | ||
4 | Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() | ||
5 | |||
6 | A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It | ||
7 | occurs while sending an Ethernet frame due to missing break statements | ||
8 | and improper checking of the buffer size. | ||
9 | |||
10 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
11 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
12 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555] | ||
16 | CVE: CVE-2020-15863 | ||
17 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
18 | |||
19 | --- | ||
20 | hw/net/xgmac.c | 14 ++++++++++++-- | ||
21 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c | ||
24 | index 574dd47..5bf1b61 100644 | ||
25 | --- a/hw/net/xgmac.c | ||
26 | +++ b/hw/net/xgmac.c | ||
27 | @@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s) | ||
28 | } | ||
29 | len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); | ||
30 | |||
31 | + /* | ||
32 | + * FIXME: these cases of malformed tx descriptors (bad sizes) | ||
33 | + * should probably be reported back to the guest somehow | ||
34 | + * rather than simply silently stopping processing, but we | ||
35 | + * don't know what the hardware does in this situation. | ||
36 | + * This will only happen for buggy guests anyway. | ||
37 | + */ | ||
38 | if ((bd.buffer1_size & 0xfff) > 2048) { | ||
39 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
40 | "xgmac buffer 1 len on send > 2048 (0x%x)\n", | ||
41 | __func__, bd.buffer1_size & 0xfff); | ||
42 | + break; | ||
43 | } | ||
44 | if ((bd.buffer2_size & 0xfff) != 0) { | ||
45 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
46 | "xgmac buffer 2 len on send != 0 (0x%x)\n", | ||
47 | __func__, bd.buffer2_size & 0xfff); | ||
48 | + break; | ||
49 | } | ||
50 | - if (len >= sizeof(frame)) { | ||
51 | + if (frame_size + len >= sizeof(frame)) { | ||
52 | DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " | ||
53 | - "buffer\n" , __func__, len, sizeof(frame)); | ||
54 | + "buffer\n" , __func__, frame_size + len, sizeof(frame)); | ||
55 | DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", | ||
56 | __func__, bd.buffer1_size, bd.buffer2_size); | ||
57 | + break; | ||
58 | } | ||
59 | |||
60 | cpu_physical_memory_read(bd.buffer1_addr, ptr, len); | ||
61 | -- | ||
62 | 1.8.3.1 | ||
63 | |||