summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorChangqing Li <changqing.li@windriver.com>2020-02-27 13:25:46 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-03-12 22:49:28 +0000
commit43da61a83f391c0d117361a14c28313596fb32ca (patch)
treefd4be5d41e4d5d9ea1adb48705806a4f5515cda1 /meta
parentd24dd531e2fa261b07d98b15d07652048dcb5e8d (diff)
downloadpoky-43da61a83f391c0d117361a14c28313596fb32ca.tar.gz
qemu: fix CVE-2020-7039
(From OE-Core rev: 5ea3d9d83ed695827634e3216664c13fcff6d48a) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc3
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch59
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch64
4 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e6dbc6d05a..3ce14d9fa0 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -30,6 +30,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
30 file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \ 30 file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \
31 file://CVE-2019-15890.patch \ 31 file://CVE-2019-15890.patch \
32 file://CVE-2020-1711.patch \ 32 file://CVE-2020-1711.patch \
33 file://CVE-2020-7039-1.patch \
34 file://CVE-2020-7039-2.patch \
35 file://CVE-2020-7039-3.patch \
33 " 36 "
34UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 37UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
35 38
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
new file mode 100644
index 0000000000..df6bca6db6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
@@ -0,0 +1,44 @@
1From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 27 Feb 2020 12:07:35 +0800
4Subject: [PATCH] tcp_emu: Fix oob access
5
6The main loop only checks for one available byte, while we sometimes
7need two bytes.
8
9CVE: CVE-2020-7039
10Upstream-Status: Backport
11[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289]
12
13Signed-off-by: Changqing Li <changqing.li@windriver.com>
14---
15 slirp/src/tcp_subr.c | 6 ++++++
16 1 file changed, 6 insertions(+)
17
18diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
19index d6dd133..4bea2d4 100644
20--- a/slirp/src/tcp_subr.c
21+++ b/slirp/src/tcp_subr.c
22@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
23 break;
24
25 case 5:
26+ if (bptr == m->m_data + m->m_len - 1)
27+ return 1; /* We need two bytes */
28 /*
29 * The difference between versions 1.0 and
30 * 2.0 is here. For future versions of
31@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
32 /* This is the field containing the port
33 * number that RA-player is listening to.
34 */
35+
36+ if (bptr == m->m_data + m->m_len - 1)
37+ return 1; /* We need two bytes */
38+
39 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
40 if (lport < 6970)
41 lport += 256; /* don't know why */
42--
432.7.4
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
new file mode 100644
index 0000000000..4a00fa2afd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
@@ -0,0 +1,59 @@
1From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 27 Feb 2020 12:10:34 +0800
4Subject: [PATCH] slirp: use correct size while emulating commands
5
6While emulating services in tcp_emu(), it uses 'mbuf' size
7'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
8size to avoid possible OOB access.
9Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
10Signed-off-by: Samuel Thibault's avatarSamuel Thibault
11<samuel.thibault@ens-lyon.org>
12Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
13
14CVE: CVE-2020-7039
15Upstream-Status: Backport
16[https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80]
17
18Signed-off-by: Changqing Li <changqing.li@windriver.com>
19---
20 slirp/src/tcp_subr.c | 9 ++++-----
21 1 file changed, 4 insertions(+), 5 deletions(-)
22
23diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
24index 4bea2d4..e8ed4ef 100644
25--- a/slirp/src/tcp_subr.c
26+++ b/slirp/src/tcp_subr.c
27@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
28 n4 = (laddr & 0xff);
29
30 m->m_len = bptr - m->m_data; /* Adjust length */
31- m->m_len += snprintf(bptr, m->m_size - m->m_len,
32+ m->m_len += snprintf(bptr, M_FREEROOM(m),
33 "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
34 n5, n6, x == 7 ? buff : "");
35 return 1;
36@@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
37 n4 = (laddr & 0xff);
38
39 m->m_len = bptr - m->m_data; /* Adjust length */
40- m->m_len +=
41- snprintf(bptr, m->m_size - m->m_len,
42+ m->m_len += snprintf(bptr, M_FREEROOM(m),
43 "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
44 n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
45
46@@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
47 if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
48 (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
49 htons(lport), SS_FACCEPTONCE)) != NULL)
50- m->m_len =
51- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
52+ m->m_len = snprintf(m->m_data, M_ROOM(m),
53+ "%d", ntohs(so->so_fport)) + 1;
54 return 1;
55
56 case EMU_IRC:
57--
582.7.4
59
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
new file mode 100644
index 0000000000..70ce480d80
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
@@ -0,0 +1,64 @@
1From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 27 Feb 2020 12:15:04 +0800
4Subject: [PATCH] slirp: use correct size while emulating IRC commands
5
6While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
7'm->m_size' to write DCC commands via snprintf(3). This may
8lead to OOB write access, because 'bptr' points somewhere in
9the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
10size to avoid OOB access.
11Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
12Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
13Reviewed-by: Samuel Thibault's avatarSamuel Thibault
14<samuel.thibault@ens-lyon.org>
15Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
16
17CVE: CVE-2020-7039
18Upstream-Status: Backport
19[https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9]
20
21Signed-off-by: Changqing Li <changqing.li@windriver.com>
22---
23 slirp/src/tcp_subr.c | 11 ++++++-----
24 1 file changed, 6 insertions(+), 5 deletions(-)
25
26diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
27index e8ed4ef..3a4a8ee 100644
28--- a/slirp/src/tcp_subr.c
29+++ b/slirp/src/tcp_subr.c
30@@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
31 return 1;
32 }
33 m->m_len = bptr - m->m_data; /* Adjust length */
34- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
35+ m->m_len += snprintf(bptr, M_FREEROOM(m),
36+ "DCC CHAT chat %lu %u%c\n",
37 (unsigned long)ntohl(so->so_faddr.s_addr),
38 ntohs(so->so_fport), 1);
39 } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
40@@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
41 return 1;
42 }
43 m->m_len = bptr - m->m_data; /* Adjust length */
44- m->m_len +=
45- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
46+ m->m_len += snprintf(bptr, M_FREEROOM(m),
47+ "DCC SEND %s %lu %u %u%c\n", buff,
48 (unsigned long)ntohl(so->so_faddr.s_addr),
49 ntohs(so->so_fport), n1, 1);
50 } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
51@@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
52 return 1;
53 }
54 m->m_len = bptr - m->m_data; /* Adjust length */
55- m->m_len +=
56- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
57+ m->m_len += snprintf(bptr, M_FREEROOM(m),
58+ "DCC MOVE %s %lu %u %u%c\n", buff,
59 (unsigned long)ntohl(so->so_faddr.s_addr),
60 ntohs(so->so_fport), n1, 1);
61 }
62--
632.7.4
64