qemu: fix CVE-2019-3812

(From OE-Core rev: 0135c0bf2a6cfd43c86d67ad0a0a2eaadc05cc47) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-03-21 12:31:29 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-03-24 17:00:52 +0000
commit: 49c2351f3a50f4aab12a56ae587b71080e6f42b2 (patch)
tree: b0c2defab4e43a437ac89d4e1e89b836f1e487bc /meta/recipes-devtools
parent: 95661a102dad1cef40cc9d95b80bacb6544f9a1b (diff)
download: poky-49c2351f3a50f4aab12a56ae587b71080e6f42b2.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 2babfe4c6f..e503aa866d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,6 +29,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0017-fix-CVE-2018-20126.patch \
           file://0018-fix-CVE-2018-20191.patch \
           file://0019-fix-CVE-2018-20216.patch \
+           file://CVE-2019-3812.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
new file mode 100644
index 0000000000..7de5882b3e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
@@ -0,0 +1,39 @@
+QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an
+out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc()
+function. A local attacker with permission to execute i2c commands could exploit
+this to read stack memory of the qemu process on the host.
+CVE: CVE-2019-3812
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 8 Jan 2019 11:23:01 +0100
+Subject: [PATCH] i2c-ddc: fix oob read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Suggested-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Michael Hanselmann <public@hansmi.ch>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190108102301.1957-1-kraxel@redhat.com
+---
+ hw/i2c/i2c-ddc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
+index be34fe072cf..0a0367ff38f 100644
+--- a/hw/i2c/i2c-ddc.c
+++ b/hw/i2c/i2c-ddc.c
+@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
+     I2CDDCState *s = I2CDDC(i2c);
+ 
+     int value;
+-    value = s->edid_blob[s->reg];
+    value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
+     s->reg++;
+     return value;
+ }
author	Ross Burton <ross.burton@intel.com>	2019-03-21 12:31:29 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-03-24 17:00:52 +0000
commit	49c2351f3a50f4aab12a56ae587b71080e6f42b2 (patch)
tree	b0c2defab4e43a437ac89d4e1e89b836f1e487bc /meta/recipes-devtools
parent	95661a102dad1cef40cc9d95b80bacb6544f9a1b (diff)
download	poky-49c2351f3a50f4aab12a56ae587b71080e6f42b2.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 2babfe4c6f..e503aa866d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,6 +29,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
29	file://0017-fix-CVE-2018-20126.patch \	29	file://0017-fix-CVE-2018-20126.patch \
30	file://0018-fix-CVE-2018-20191.patch \	30	file://0018-fix-CVE-2018-20191.patch \
31	file://0019-fix-CVE-2018-20216.patch \	31	file://0019-fix-CVE-2018-20216.patch \
		32	file://CVE-2019-3812.patch \
32	"	33	"
33	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	34	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
34		35


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch new file mode 100644 index 0000000000..7de5882b3e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
@@ -0,0 +1,39 @@
		1	QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an
		2	out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc()
		3	function. A local attacker with permission to execute i2c commands could exploit
		4	this to read stack memory of the qemu process on the host.
		5
		6	CVE: CVE-2019-3812
		7	Upstream-Status: Backport
		8	Signed-off-by: Ross Burton <ross.burton@intel.com>
		9
		10	From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001
		11	From: Gerd Hoffmann <kraxel@redhat.com>
		12	Date: Tue, 8 Jan 2019 11:23:01 +0100
		13	Subject: [PATCH] i2c-ddc: fix oob read
		14	MIME-Version: 1.0
		15	Content-Type: text/plain; charset=UTF-8
		16	Content-Transfer-Encoding: 8bit
		17
		18	Suggested-by: Michael Hanselmann <public@hansmi.ch>
		19	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		20	Reviewed-by: Michael Hanselmann <public@hansmi.ch>
		21	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		22	Message-id: 20190108102301.1957-1-kraxel@redhat.com
		23	---
		24	hw/i2c/i2c-ddc.c \| 2 +-
		25	1 file changed, 1 insertion(+), 1 deletion(-)
		26
		27	diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
		28	index be34fe072cf..0a0367ff38f 100644
		29	--- a/hw/i2c/i2c-ddc.c
		30	+++ b/hw/i2c/i2c-ddc.c
		31	@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
		32	I2CDDCState *s = I2CDDC(i2c);
		33
		34	int value;
		35	- value = s->edid_blob[s->reg];
		36	+ value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
		37	s->reg++;
		38	return value;
		39	}