diff options
author | Armin Kuster <akuster@mvista.com> | 2016-09-19 19:52:57 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-23 23:22:04 +0100 |
commit | 48048dcaa26b7ad97c4b2e10c06b86bd5cba761f (patch) | |
tree | e34deeddebea527b18cb2a764b2df9b3919ba961 /meta/recipes-devtools | |
parent | 931a6e6d5e3081c7b45d2591d8bf545ca0df375d (diff) | |
download | poky-48048dcaa26b7ad97c4b2e10c06b86bd5cba761f.tar.gz |
qemu: Security fix CVE-2016-6351
affects qemu < 2.6.0
(From OE-Core rev: 5729eb105ff69cae0eac7a596cb0e938f6159526)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch | 75 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch | 60 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.4.0.bb | 2 |
3 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch new file mode 100644 index 0000000000..350ae2becc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 16 Jun 2016 00:22:35 +0200 | ||
4 | Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size | ||
5 | |||
6 | While doing DMA read into ESP command buffer 's->cmdbuf', it could | ||
7 | write past the 's->cmdbuf' area, if it was transferring more than 16 | ||
8 | bytes. Increase the command buffer size to 32, which is maximum when | ||
9 | 's->do_cmd' is set, and add a check on 'len' to avoid OOB access. | ||
10 | |||
11 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | CVE: CVE-2016-6351 patch1 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | hw/scsi/esp.c | 6 ++++-- | ||
21 | include/hw/scsi/esp.h | 3 ++- | ||
22 | 2 files changed, 6 insertions(+), 3 deletions(-) | ||
23 | |||
24 | Index: qemu-2.4.0/hw/scsi/esp.c | ||
25 | =================================================================== | ||
26 | --- qemu-2.4.0.orig/hw/scsi/esp.c | ||
27 | +++ qemu-2.4.0/hw/scsi/esp.c | ||
28 | @@ -241,6 +241,8 @@ static void esp_do_dma(ESPState *s) | ||
29 | len = s->dma_left; | ||
30 | if (s->do_cmd) { | ||
31 | trace_esp_do_dma(s->cmdlen, len); | ||
32 | + assert (s->cmdlen <= sizeof(s->cmdbuf) && | ||
33 | + len <= sizeof(s->cmdbuf) - s->cmdlen); | ||
34 | s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); | ||
35 | s->ti_size = 0; | ||
36 | s->cmdlen = 0; | ||
37 | @@ -340,7 +342,7 @@ static void handle_ti(ESPState *s) | ||
38 | s->dma_counter = dmalen; | ||
39 | |||
40 | if (s->do_cmd) | ||
41 | - minlen = (dmalen < 32) ? dmalen : 32; | ||
42 | + minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; | ||
43 | else if (s->ti_size < 0) | ||
44 | minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; | ||
45 | else | ||
46 | @@ -446,7 +448,7 @@ void esp_reg_write(ESPState *s, uint32_t | ||
47 | break; | ||
48 | case ESP_FIFO: | ||
49 | if (s->do_cmd) { | ||
50 | - if (s->cmdlen < TI_BUFSZ) { | ||
51 | + if (s->cmdlen < ESP_CMDBUF_SZ) { | ||
52 | s->cmdbuf[s->cmdlen++] = val & 0xff; | ||
53 | } else { | ||
54 | trace_esp_error_fifo_overrun(); | ||
55 | Index: qemu-2.4.0/include/hw/scsi/esp.h | ||
56 | =================================================================== | ||
57 | --- qemu-2.4.0.orig/include/hw/scsi/esp.h | ||
58 | +++ qemu-2.4.0/include/hw/scsi/esp.h | ||
59 | @@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shi | ||
60 | |||
61 | #define ESP_REGS 16 | ||
62 | #define TI_BUFSZ 16 | ||
63 | +#define ESP_CMDBUF_SZ 32 | ||
64 | |||
65 | typedef struct ESPState ESPState; | ||
66 | |||
67 | @@ -31,7 +32,7 @@ struct ESPState { | ||
68 | SCSIBus bus; | ||
69 | SCSIDevice *current_dev; | ||
70 | SCSIRequest *current_req; | ||
71 | - uint8_t cmdbuf[TI_BUFSZ]; | ||
72 | + uint8_t cmdbuf[ESP_CMDBUF_SZ]; | ||
73 | uint32_t cmdlen; | ||
74 | uint32_t do_cmd; | ||
75 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch new file mode 100644 index 0000000000..c4ed354e8e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paolo Bonzini <pbonzini@redhat.com> | ||
3 | Date: Mon, 20 Jun 2016 16:32:39 +0200 | ||
4 | Subject: [PATCH] scsi: esp: fix migration | ||
5 | |||
6 | Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size", | ||
7 | 2016-06-16) changed the size of a migrated field. Split it in two | ||
8 | parts, and only migrate the second part in a new vmstate version. | ||
9 | |||
10 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2016-6351 patch1 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | hw/scsi/esp.c | 5 +++-- | ||
18 | include/migration/vmstate.h | 5 ++++- | ||
19 | 2 files changed, 7 insertions(+), 3 deletions(-) | ||
20 | |||
21 | Index: qemu-2.4.0/hw/scsi/esp.c | ||
22 | =================================================================== | ||
23 | --- qemu-2.4.0.orig/hw/scsi/esp.c | ||
24 | +++ qemu-2.4.0/hw/scsi/esp.c | ||
25 | @@ -571,7 +571,7 @@ static bool esp_mem_accepts(void *opaque | ||
26 | |||
27 | const VMStateDescription vmstate_esp = { | ||
28 | .name ="esp", | ||
29 | - .version_id = 3, | ||
30 | + .version_id = 4, | ||
31 | .minimum_version_id = 3, | ||
32 | .fields = (VMStateField[]) { | ||
33 | VMSTATE_BUFFER(rregs, ESPState), | ||
34 | @@ -582,7 +582,8 @@ const VMStateDescription vmstate_esp = { | ||
35 | VMSTATE_BUFFER(ti_buf, ESPState), | ||
36 | VMSTATE_UINT32(status, ESPState), | ||
37 | VMSTATE_UINT32(dma, ESPState), | ||
38 | - VMSTATE_BUFFER(cmdbuf, ESPState), | ||
39 | + VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16), | ||
40 | + VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4), | ||
41 | VMSTATE_UINT32(cmdlen, ESPState), | ||
42 | VMSTATE_UINT32(do_cmd, ESPState), | ||
43 | VMSTATE_UINT32(dma_left, ESPState), | ||
44 | Index: qemu-2.4.0/include/migration/vmstate.h | ||
45 | =================================================================== | ||
46 | --- qemu-2.4.0.orig/include/migration/vmstate.h | ||
47 | +++ qemu-2.4.0/include/migration/vmstate.h | ||
48 | @@ -778,8 +778,11 @@ extern const VMStateInfo vmstate_info_bi | ||
49 | #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \ | ||
50 | VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size) | ||
51 | |||
52 | +#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \ | ||
53 | + VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f))) | ||
54 | + | ||
55 | #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \ | ||
56 | - VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f))) | ||
57 | + VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0) | ||
58 | |||
59 | #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \ | ||
60 | VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size) | ||
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb index 4eb4bcce87..901a05737f 100644 --- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb | |||
@@ -26,6 +26,8 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
26 | file://CVE-2016-3712_p3.patch \ | 26 | file://CVE-2016-3712_p3.patch \ |
27 | file://CVE-2016-3712_p4.patch \ | 27 | file://CVE-2016-3712_p4.patch \ |
28 | file://CVE-2016-4439.patch \ | 28 | file://CVE-2016-4439.patch \ |
29 | file://CVE-2016-6351_p1.patch \ | ||
30 | file://CVE-2016-6351_p2.patch \ | ||
29 | " | 31 | " |
30 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 32 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
31 | SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" | 33 | SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" |