diff options
author | Ross Burton <ross.burton@intel.com> | 2019-03-21 12:31:29 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-24 17:00:52 +0000 |
commit | 49c2351f3a50f4aab12a56ae587b71080e6f42b2 (patch) | |
tree | b0c2defab4e43a437ac89d4e1e89b836f1e487bc /meta/recipes-devtools | |
parent | 95661a102dad1cef40cc9d95b80bacb6544f9a1b (diff) | |
download | poky-49c2351f3a50f4aab12a56ae587b71080e6f42b2.tar.gz |
qemu: fix CVE-2019-3812
(From OE-Core rev: 0135c0bf2a6cfd43c86d67ad0a0a2eaadc05cc47)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch | 39 |
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 2babfe4c6f..e503aa866d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -29,6 +29,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
29 | file://0017-fix-CVE-2018-20126.patch \ | 29 | file://0017-fix-CVE-2018-20126.patch \ |
30 | file://0018-fix-CVE-2018-20191.patch \ | 30 | file://0018-fix-CVE-2018-20191.patch \ |
31 | file://0019-fix-CVE-2018-20216.patch \ | 31 | file://0019-fix-CVE-2018-20216.patch \ |
32 | file://CVE-2019-3812.patch \ | ||
32 | " | 33 | " |
33 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 34 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
34 | 35 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch new file mode 100644 index 0000000000..7de5882b3e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an | ||
2 | out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() | ||
3 | function. A local attacker with permission to execute i2c commands could exploit | ||
4 | this to read stack memory of the qemu process on the host. | ||
5 | |||
6 | CVE: CVE-2019-3812 | ||
7 | Upstream-Status: Backport | ||
8 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
9 | |||
10 | From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001 | ||
11 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
12 | Date: Tue, 8 Jan 2019 11:23:01 +0100 | ||
13 | Subject: [PATCH] i2c-ddc: fix oob read | ||
14 | MIME-Version: 1.0 | ||
15 | Content-Type: text/plain; charset=UTF-8 | ||
16 | Content-Transfer-Encoding: 8bit | ||
17 | |||
18 | Suggested-by: Michael Hanselmann <public@hansmi.ch> | ||
19 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
20 | Reviewed-by: Michael Hanselmann <public@hansmi.ch> | ||
21 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
22 | Message-id: 20190108102301.1957-1-kraxel@redhat.com | ||
23 | --- | ||
24 | hw/i2c/i2c-ddc.c | 2 +- | ||
25 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c | ||
28 | index be34fe072cf..0a0367ff38f 100644 | ||
29 | --- a/hw/i2c/i2c-ddc.c | ||
30 | +++ b/hw/i2c/i2c-ddc.c | ||
31 | @@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) | ||
32 | I2CDDCState *s = I2CDDC(i2c); | ||
33 | |||
34 | int value; | ||
35 | - value = s->edid_blob[s->reg]; | ||
36 | + value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; | ||
37 | s->reg++; | ||
38 | return value; | ||
39 | } | ||