diff options
author | Changqing Li <changqing.li@windriver.com> | 2020-02-27 13:25:46 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-03-12 22:49:28 +0000 |
commit | 43da61a83f391c0d117361a14c28313596fb32ca (patch) | |
tree | fd4be5d41e4d5d9ea1adb48705806a4f5515cda1 /meta | |
parent | d24dd531e2fa261b07d98b15d07652048dcb5e8d (diff) | |
download | poky-43da61a83f391c0d117361a14c28313596fb32ca.tar.gz |
qemu: fix CVE-2020-7039
(From OE-Core rev: 5ea3d9d83ed695827634e3216664c13fcff6d48a)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 3 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch | 44 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch | 59 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch | 64 |
4 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index e6dbc6d05a..3ce14d9fa0 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -30,6 +30,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
30 | file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \ | 30 | file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \ |
31 | file://CVE-2019-15890.patch \ | 31 | file://CVE-2019-15890.patch \ |
32 | file://CVE-2020-1711.patch \ | 32 | file://CVE-2020-1711.patch \ |
33 | file://CVE-2020-7039-1.patch \ | ||
34 | file://CVE-2020-7039-2.patch \ | ||
35 | file://CVE-2020-7039-3.patch \ | ||
33 | " | 36 | " |
34 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 37 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
35 | 38 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch new file mode 100644 index 0000000000..df6bca6db6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Thu, 27 Feb 2020 12:07:35 +0800 | ||
4 | Subject: [PATCH] tcp_emu: Fix oob access | ||
5 | |||
6 | The main loop only checks for one available byte, while we sometimes | ||
7 | need two bytes. | ||
8 | |||
9 | CVE: CVE-2020-7039 | ||
10 | Upstream-Status: Backport | ||
11 | [https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289] | ||
12 | |||
13 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
14 | --- | ||
15 | slirp/src/tcp_subr.c | 6 ++++++ | ||
16 | 1 file changed, 6 insertions(+) | ||
17 | |||
18 | diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c | ||
19 | index d6dd133..4bea2d4 100644 | ||
20 | --- a/slirp/src/tcp_subr.c | ||
21 | +++ b/slirp/src/tcp_subr.c | ||
22 | @@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
23 | break; | ||
24 | |||
25 | case 5: | ||
26 | + if (bptr == m->m_data + m->m_len - 1) | ||
27 | + return 1; /* We need two bytes */ | ||
28 | /* | ||
29 | * The difference between versions 1.0 and | ||
30 | * 2.0 is here. For future versions of | ||
31 | @@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
32 | /* This is the field containing the port | ||
33 | * number that RA-player is listening to. | ||
34 | */ | ||
35 | + | ||
36 | + if (bptr == m->m_data + m->m_len - 1) | ||
37 | + return 1; /* We need two bytes */ | ||
38 | + | ||
39 | lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; | ||
40 | if (lport < 6970) | ||
41 | lport += 256; /* don't know why */ | ||
42 | -- | ||
43 | 2.7.4 | ||
44 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch new file mode 100644 index 0000000000..4a00fa2afd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Thu, 27 Feb 2020 12:10:34 +0800 | ||
4 | Subject: [PATCH] slirp: use correct size while emulating commands | ||
5 | |||
6 | While emulating services in tcp_emu(), it uses 'mbuf' size | ||
7 | 'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) | ||
8 | size to avoid possible OOB access. | ||
9 | Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
10 | Signed-off-by: Samuel Thibault's avatarSamuel Thibault | ||
11 | <samuel.thibault@ens-lyon.org> | ||
12 | Message-Id: <20200109094228.79764-3-ppandit@redhat.com> | ||
13 | |||
14 | CVE: CVE-2020-7039 | ||
15 | Upstream-Status: Backport | ||
16 | [https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80] | ||
17 | |||
18 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
19 | --- | ||
20 | slirp/src/tcp_subr.c | 9 ++++----- | ||
21 | 1 file changed, 4 insertions(+), 5 deletions(-) | ||
22 | |||
23 | diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c | ||
24 | index 4bea2d4..e8ed4ef 100644 | ||
25 | --- a/slirp/src/tcp_subr.c | ||
26 | +++ b/slirp/src/tcp_subr.c | ||
27 | @@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
28 | n4 = (laddr & 0xff); | ||
29 | |||
30 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
31 | - m->m_len += snprintf(bptr, m->m_size - m->m_len, | ||
32 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
33 | "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, | ||
34 | n5, n6, x == 7 ? buff : ""); | ||
35 | return 1; | ||
36 | @@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
37 | n4 = (laddr & 0xff); | ||
38 | |||
39 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
40 | - m->m_len += | ||
41 | - snprintf(bptr, m->m_size - m->m_len, | ||
42 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
43 | "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", | ||
44 | n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); | ||
45 | |||
46 | @@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
47 | if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && | ||
48 | (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, | ||
49 | htons(lport), SS_FACCEPTONCE)) != NULL) | ||
50 | - m->m_len = | ||
51 | - snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; | ||
52 | + m->m_len = snprintf(m->m_data, M_ROOM(m), | ||
53 | + "%d", ntohs(so->so_fport)) + 1; | ||
54 | return 1; | ||
55 | |||
56 | case EMU_IRC: | ||
57 | -- | ||
58 | 2.7.4 | ||
59 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch new file mode 100644 index 0000000000..70ce480d80 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Thu, 27 Feb 2020 12:15:04 +0800 | ||
4 | Subject: [PATCH] slirp: use correct size while emulating IRC commands | ||
5 | |||
6 | While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size | ||
7 | 'm->m_size' to write DCC commands via snprintf(3). This may | ||
8 | lead to OOB write access, because 'bptr' points somewhere in | ||
9 | the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) | ||
10 | size to avoid OOB access. | ||
11 | Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com> | ||
12 | Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
13 | Reviewed-by: Samuel Thibault's avatarSamuel Thibault | ||
14 | <samuel.thibault@ens-lyon.org> | ||
15 | Message-Id: <20200109094228.79764-2-ppandit@redhat.com> | ||
16 | |||
17 | CVE: CVE-2020-7039 | ||
18 | Upstream-Status: Backport | ||
19 | [https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9] | ||
20 | |||
21 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
22 | --- | ||
23 | slirp/src/tcp_subr.c | 11 ++++++----- | ||
24 | 1 file changed, 6 insertions(+), 5 deletions(-) | ||
25 | |||
26 | diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c | ||
27 | index e8ed4ef..3a4a8ee 100644 | ||
28 | --- a/slirp/src/tcp_subr.c | ||
29 | +++ b/slirp/src/tcp_subr.c | ||
30 | @@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
31 | return 1; | ||
32 | } | ||
33 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
34 | - m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", | ||
35 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
36 | + "DCC CHAT chat %lu %u%c\n", | ||
37 | (unsigned long)ntohl(so->so_faddr.s_addr), | ||
38 | ntohs(so->so_fport), 1); | ||
39 | } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, | ||
40 | @@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
41 | return 1; | ||
42 | } | ||
43 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
44 | - m->m_len += | ||
45 | - snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, | ||
46 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
47 | + "DCC SEND %s %lu %u %u%c\n", buff, | ||
48 | (unsigned long)ntohl(so->so_faddr.s_addr), | ||
49 | ntohs(so->so_fport), n1, 1); | ||
50 | } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, | ||
51 | @@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
52 | return 1; | ||
53 | } | ||
54 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
55 | - m->m_len += | ||
56 | - snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, | ||
57 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
58 | + "DCC MOVE %s %lu %u %u%c\n", buff, | ||
59 | (unsigned long)ntohl(so->so_faddr.s_addr), | ||
60 | ntohs(so->so_fport), n1, 1); | ||
61 | } | ||
62 | -- | ||
63 | 2.7.4 | ||
64 | |||