summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-11-19 19:00:35 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-11-24 13:17:59 +0000
commit235dff82276a8a2ff4d0ee1cf93243925537551c (patch)
tree3f7c46f13e2faebb039ada6b90f98c11581fd8e8 /meta/recipes-devtools
parent9c5ec3fd7b65cebe2b570cfc0638a0e0c6f09230 (diff)
downloadpoky-235dff82276a8a2ff4d0ee1cf93243925537551c.tar.gz
qemu: fix CVE-2020-24352
(From OE-Core rev: 7610ffec71e20556bde32f00a08c4c5a40cd31ce) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch52
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index b6941403ea..067179fdeb 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -50,6 +50,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
50 file://CVE-2020-16092.patch \ 50 file://CVE-2020-16092.patch \
51 file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ 51 file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
52 file://CVE-2019-20175.patch \ 52 file://CVE-2019-20175.patch \
53 file://CVE-2020-24352.patch \
53 " 54 "
54UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 55UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
55 56
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
new file mode 100644
index 0000000000..861ff6c3b0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
1From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Wed, 21 Oct 2020 16:08:18 +0530
4Subject: [PATCH 1/1] ati: check x y display parameter values
5
6The source and destination x,y display parameters in ati_2d_blt()
7may run off the vga limits if either of s->regs.[src|dst]_[xy] is
8zero. Check the parameter values to avoid potential crash.
9
10Reported-by: Gaoning Pan <pgn@zju.edu.cn>
11Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
12Message-id: 20201021103818.1704030-1-ppandit@redhat.com
13Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
14
15Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
16CVE: CVE-2020-24352
17Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
18---
19 hw/display/ati_2d.c | 10 ++++++----
20 1 file changed, 6 insertions(+), 4 deletions(-)
21
22diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
23index 23a8ae0..4dc10ea 100644
24--- a/hw/display/ati_2d.c
25+++ b/hw/display/ati_2d.c
26@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
27 dst_stride *= bpp;
28 }
29 uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
30- if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
31- dst_stride >= end) {
32+ if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
33+ || dst_bits + dst_x
34+ + (dst_y + s->regs.dst_height) * dst_stride >= end) {
35 qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
36 return;
37 }
38@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
39 src_bits += s->regs.crtc_offset & 0x07ffffff;
40 src_stride *= bpp;
41 }
42- if (src_bits >= end || src_bits + src_x +
43- (src_y + s->regs.dst_height) * src_stride >= end) {
44+ if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
45+ || src_bits + src_x
46+ + (src_y + s->regs.dst_height) * src_stride >= end) {
47 qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
48 return;
49 }
50--
511.8.3.1
52