summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2016-10-26 17:54:50 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-11-06 23:35:35 +0000
commit8ce19e9e0bb320644d558e18ba2c8d91b3ef1e2e (patch)
tree9885cce5f46c4b395abf5c584ad3394e44b1c86e /meta
parent19be0e3f43c0d322c31b48986d7492a3c4f261a2 (diff)
downloadpoky-8ce19e9e0bb320644d558e18ba2c8d91b3ef1e2e.tar.gz
qemu: fix CVE-2016-7423 and CVE-2016-7908
Backport patches to fix CVE-2016-7423 and CVE-2016-7908 of qemu. (From OE-Core rev: 1f4c303fd64a4bc05882de01676f241f0df6da78) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch62
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.7.0.bb2
3 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
new file mode 100644
index 0000000000..fdf58a3d65
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
@@ -0,0 +1,45 @@
1Upstream-Status: Backport
2
3Backport patch to fix CVE-2016-7423 from:
4
5http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed
6
7CVE: CVE-2016-7423
8
9Signed-off-by: Kai Kang <kai.kang@windriver.com>
10---
11From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
12From: Li Qiang <liqiang6-s@360.cn>
13Date: Mon, 12 Sep 2016 18:14:11 +0530
14Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
15
16When processing IO request in mptsas, it uses g_new to allocate
17a 'req' object. If an error occurs before 'req->sreq' is
18allocated, It could lead to an OOB write in mptsas_free_request
19function. Use g_new0 to avoid it.
20
21Reported-by: Li Qiang <liqiang6-s@360.cn>
22Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
23Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
24Cc: qemu-stable@nongnu.org
25Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
26---
27 hw/scsi/mptsas.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
31index 0e0a22f..eaae1bb 100644
32--- a/hw/scsi/mptsas.c
33+++ b/hw/scsi/mptsas.c
34@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
35 goto bad;
36 }
37
38- req = g_new(MPTSASRequest, 1);
39+ req = g_new0(MPTSASRequest, 1);
40 QTAILQ_INSERT_TAIL(&s->pending, req, next);
41 req->scsi_io = *scsi_io;
42 req->dev = s;
43--
442.9.3
45
diff --git a/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
new file mode 100644
index 0000000000..05cc3d9d13
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
@@ -0,0 +1,62 @@
1Upstream-Status: Backport
2
3Backport patch to fix CVE-2016-7908 from:
4
5http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8c
6
7CVE: CVE-2016-7908
8
9Signed-off-by: Kai Kang <kai.kang@windriver.com>
10---
11From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
12From: Prasad J Pandit <pjp@fedoraproject.org>
13Date: Thu, 22 Sep 2016 16:02:37 +0530
14Subject: [PATCH] net: mcf: limit buffer descriptor count
15
16ColdFire Fast Ethernet Controller uses buffer descriptors to manage
17data flow to/fro receive & transmit queues. While transmitting
18packets, it could continue to read buffer descriptors if a buffer
19descriptor has length of zero and has crafted values in bd.flags.
20Set upper limit to number of buffer descriptors.
21
22Reported-by: Li Qiang <liqiang6-s@360.cn>
23Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
24Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
25Signed-off-by: Jason Wang <jasowang@redhat.com>
26---
27 hw/net/mcf_fec.c | 5 +++--
28 1 file changed, 3 insertions(+), 2 deletions(-)
29
30diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
31index 0ee8ad9..d31fea1 100644
32--- a/hw/net/mcf_fec.c
33+++ b/hw/net/mcf_fec.c
34@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
35 #define DPRINTF(fmt, ...) do {} while(0)
36 #endif
37
38+#define FEC_MAX_DESC 1024
39 #define FEC_MAX_FRAME_SIZE 2032
40
41 typedef struct {
42@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
43 uint32_t addr;
44 mcf_fec_bd bd;
45 int frame_size;
46- int len;
47+ int len, descnt = 0;
48 uint8_t frame[FEC_MAX_FRAME_SIZE];
49 uint8_t *ptr;
50
51@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
52 ptr = frame;
53 frame_size = 0;
54 addr = s->tx_descriptor;
55- while (1) {
56+ while (descnt++ < FEC_MAX_DESC) {
57 mcf_fec_read_bd(&bd, addr);
58 DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
59 addr, bd.flags, bd.length, bd.data);
60--
612.9.3
62
diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
index 90e4eecb10..a75bcdfa0b 100644
--- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -10,6 +10,8 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
10 file://pathlimit.patch \ 10 file://pathlimit.patch \
11 file://qemu-2.5.0-cflags.patch \ 11 file://qemu-2.5.0-cflags.patch \
12 file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \ 12 file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
13 file://0002-fix-CVE-2016-7423.patch \
14 file://0003-fix-CVE-2016-7908.patch \
13" 15"
14 16
15SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 17SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"