summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-08-06 17:46:18 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-08 09:17:48 +0100
commitd3c60cde03fd7de11776ec04ff50c61b6e1f6140 (patch)
tree0fe20d1bc3414fcf5c47fb0a37273782b78ceb68 /meta/recipes-devtools
parent6ec51d096ecd45a713cb4ca71ee70930a40749e7 (diff)
downloadpoky-d3c60cde03fd7de11776ec04ff50c61b6e1f6140.tar.gz
qemu : fix CVE-2020-15863
(From OE-Core rev: 4d44369c7e65b110412e96c86b51d9791d94cb05) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch63
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index b1c822b1a8..56df73c067 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -36,6 +36,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
36 file://CVE-2020-13659.patch \ 36 file://CVE-2020-13659.patch \
37 file://CVE-2020-13800.patch \ 37 file://CVE-2020-13800.patch \
38 file://CVE-2020-13791.patch \ 38 file://CVE-2020-13791.patch \
39 file://CVE-2020-15863.patch \
39 " 40 "
40UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 41UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
41 42
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
new file mode 100644
index 0000000000..1505c7eed0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,63 @@
1From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Fri, 10 Jul 2020 11:19:41 +0200
4Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
5
6A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
7occurs while sending an Ethernet frame due to missing break statements
8and improper checking of the buffer size.
9
10Reported-by: Ziming Zhang <ezrakiez@gmail.com>
11Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
12Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555]
16CVE: CVE-2020-15863
17Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
18
19---
20 hw/net/xgmac.c | 14 ++++++++++++--
21 1 file changed, 12 insertions(+), 2 deletions(-)
22
23diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
24index 574dd47..5bf1b61 100644
25--- a/hw/net/xgmac.c
26+++ b/hw/net/xgmac.c
27@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s)
28 }
29 len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
30
31+ /*
32+ * FIXME: these cases of malformed tx descriptors (bad sizes)
33+ * should probably be reported back to the guest somehow
34+ * rather than simply silently stopping processing, but we
35+ * don't know what the hardware does in this situation.
36+ * This will only happen for buggy guests anyway.
37+ */
38 if ((bd.buffer1_size & 0xfff) > 2048) {
39 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
40 "xgmac buffer 1 len on send > 2048 (0x%x)\n",
41 __func__, bd.buffer1_size & 0xfff);
42+ break;
43 }
44 if ((bd.buffer2_size & 0xfff) != 0) {
45 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
46 "xgmac buffer 2 len on send != 0 (0x%x)\n",
47 __func__, bd.buffer2_size & 0xfff);
48+ break;
49 }
50- if (len >= sizeof(frame)) {
51+ if (frame_size + len >= sizeof(frame)) {
52 DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
53- "buffer\n" , __func__, len, sizeof(frame));
54+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
55 DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
56 __func__, bd.buffer1_size, bd.buffer2_size);
57+ break;
58 }
59
60 cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
61--
621.8.3.1
63