summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2016-11-10 15:01:25 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-01-11 17:21:41 +0000
commit8d1afc2a0db29426f0885c259273f95dce0aa4ab (patch)
tree596da79c5f97de73eb55c01f99f9c77e8efac4d7 /meta/recipes-devtools
parent31d4000b150a5a9daa37aeed5a75f9a183706b2f (diff)
downloadpoky-8d1afc2a0db29426f0885c259273f95dce0aa4ab.tar.gz
qemu: fix CVE-2016-7909
Backport patch to fix CVE-2016-7909 of qemu. Ref: https://security-tracker.debian.org/tracker/CVE-2016-7909 (From OE-Core rev: 126783ca25a5ae9daf87ac563239fbff4696a682) (From OE-Core rev: 469267010b43a1c114e22009c9ac68f36c22f896) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.7.0.bb1
2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
new file mode 100644
index 0000000000..e71bbf6205
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
@@ -0,0 +1,42 @@
1Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce]
2CVE: CVE-2016-7909
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5---
6From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Fri, 30 Sep 2016 00:27:33 +0530
9Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
10
11The AMD PC-Net II emulator has set of control and status(CSR)
12registers. Of these, CSR76 and CSR78 hold receive and transmit
13descriptor ring length respectively. This ring length could range
14from 1 to 65535. Setting ring length to zero leads to an infinite
15loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
16
17Reported-by: Li Qiang <liqiang6-s@360.cn>
18Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20---
21 hw/net/pcnet.c | 3 +++
22 1 file changed, 3 insertions(+)
23
24diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
25index 198a01f..3078de8 100644
26--- a/hw/net/pcnet.c
27+++ b/hw/net/pcnet.c
28@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
29 case 47: /* POLLINT */
30 case 72:
31 case 74:
32+ break;
33 case 76: /* RCVRL */
34 case 78: /* XMTRL */
35+ val = (val > 0) ? val : 512;
36+ break;
37 case 112:
38 if (CSR_STOP(s) || CSR_SPND(s))
39 break;
40--
412.10.1
42
diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
index a75bcdfa0b..cef181dcea 100644
--- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
12 file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \ 12 file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
13 file://0002-fix-CVE-2016-7423.patch \ 13 file://0002-fix-CVE-2016-7423.patch \
14 file://0003-fix-CVE-2016-7908.patch \ 14 file://0003-fix-CVE-2016-7908.patch \
15 file://0004-fix-CVE-2016-7909.patch \
15" 16"
16 17
17SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 18SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"