diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-04-29 11:02:18 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-05-01 12:34:51 +0100 |
commit | 13eda671267c7b38be0b863319f187fc8b4eae05 (patch) | |
tree | b602906a087e6f600418372a7c429b682603ed21 /meta | |
parent | 91c507ce1cf983a600c2d38c4284e605a80297d6 (diff) | |
download | poky-13eda671267c7b38be0b863319f187fc8b4eae05.tar.gz |
Qemu: CVE-2014-2894
Fixes an out of bounds memory access flaw
in Qemu's IDE device model
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2894
(From OE-Core rev: 5f7cdf1e1212af5e3dcf36c8817c63cc853b1a91)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch | 46 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_1.7.0.bb | 3 |
2 files changed, 48 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch b/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch new file mode 100644 index 0000000000..bd3566e282 --- /dev/null +++ b/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From c5dae2f4c50ef848f224da718154af4438862cdb Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Beno=C3=AEt=20Canet?= <benoit.canet@irqsave.net> | ||
3 | Date: Sat, 12 Apr 2014 22:59:50 +0200 | ||
4 | Subject: [PATCH] ide: Correct improper smart self test counter reset in ide | ||
5 | core. | ||
6 | |||
7 | The SMART self test counter was incorrectly being reset to zero, | ||
8 | not 1. This had the effect that on every 21st SMART EXECUTE OFFLINE: | ||
9 | * We would write off the beginning of a dynamically allocated buffer | ||
10 | * We forgot the SMART history | ||
11 | Fix this. | ||
12 | |||
13 | Signed-off-by: Benoit Canet <benoit@irqsave.net> | ||
14 | Message-id: 1397336390-24664-1-git-send-email-benoit.canet@irqsave.net | ||
15 | Reviewed-by: Markus Armbruster <armbru@redhat.com> | ||
16 | Cc: qemu-stable@nongnu.org | ||
17 | Acked-by: Kevin Wolf <kwolf@redhat.com> | ||
18 | [PMM: tweaked commit message as per suggestions from Markus] | ||
19 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
20 | |||
21 | Fixes CVE-2014-2894 | ||
22 | Upstream-Status: Backport | ||
23 | |||
24 | (cherry picked from commit 940973ae0b45c9b6817bab8e4cf4df99a9ef83d7) | ||
25 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | hw/ide/core.c | 2 +- | ||
29 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/hw/ide/core.c b/hw/ide/core.c | ||
32 | index e1f4c33..6007f6f 100644 | ||
33 | --- a/hw/ide/core.c | ||
34 | +++ b/hw/ide/core.c | ||
35 | @@ -1601,7 +1601,7 @@ static bool cmd_smart(IDEState *s, uint8_t cmd) | ||
36 | case 2: /* extended self test */ | ||
37 | s->smart_selftest_count++; | ||
38 | if (s->smart_selftest_count > 21) { | ||
39 | - s->smart_selftest_count = 0; | ||
40 | + s->smart_selftest_count = 1; | ||
41 | } | ||
42 | n = 2 + (s->smart_selftest_count - 1) * 24; | ||
43 | s->smart_selftest_data[n] = s->sector; | ||
44 | -- | ||
45 | 1.9.1 | ||
46 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_1.7.0.bb b/meta/recipes-devtools/qemu/qemu_1.7.0.bb index b776cccc02..a519645f56 100644 --- a/meta/recipes-devtools/qemu/qemu_1.7.0.bb +++ b/meta/recipes-devtools/qemu/qemu_1.7.0.bb | |||
@@ -5,7 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ | |||
5 | 5 | ||
6 | SRC_URI += "file://fxrstorssefix.patch \ | 6 | SRC_URI += "file://fxrstorssefix.patch \ |
7 | file://qemu-enlarge-env-entry-size.patch \ | 7 | file://qemu-enlarge-env-entry-size.patch \ |
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch" | 8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ |
9 | file://ide-CVE-2014-2894.patch" | ||
9 | 10 | ||
10 | SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" | 11 | SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" |
11 | SRC_URI[md5sum] = "32893941d40d052a5e649efcf06aca06" | 12 | SRC_URI[md5sum] = "32893941d40d052a5e649efcf06aca06" |