diff options
author | Kai Kang <kai.kang@windriver.com> | 2016-10-26 17:54:50 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-06 23:35:35 +0000 |
commit | 8ce19e9e0bb320644d558e18ba2c8d91b3ef1e2e (patch) | |
tree | 9885cce5f46c4b395abf5c584ad3394e44b1c86e /meta | |
parent | 19be0e3f43c0d322c31b48986d7492a3c4f261a2 (diff) | |
download | poky-8ce19e9e0bb320644d558e18ba2c8d91b3ef1e2e.tar.gz |
qemu: fix CVE-2016-7423 and CVE-2016-7908
Backport patches to fix CVE-2016-7423 and CVE-2016-7908 of qemu.
(From OE-Core rev: 1f4c303fd64a4bc05882de01676f241f0df6da78)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch | 45 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch | 62 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.7.0.bb | 2 |
3 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch new file mode 100644 index 0000000000..fdf58a3d65 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Backport patch to fix CVE-2016-7423 from: | ||
4 | |||
5 | http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed | ||
6 | |||
7 | CVE: CVE-2016-7423 | ||
8 | |||
9 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
10 | --- | ||
11 | From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001 | ||
12 | From: Li Qiang <liqiang6-s@360.cn> | ||
13 | Date: Mon, 12 Sep 2016 18:14:11 +0530 | ||
14 | Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object | ||
15 | |||
16 | When processing IO request in mptsas, it uses g_new to allocate | ||
17 | a 'req' object. If an error occurs before 'req->sreq' is | ||
18 | allocated, It could lead to an OOB write in mptsas_free_request | ||
19 | function. Use g_new0 to avoid it. | ||
20 | |||
21 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
22 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
23 | Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com> | ||
24 | Cc: qemu-stable@nongnu.org | ||
25 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
26 | --- | ||
27 | hw/scsi/mptsas.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c | ||
31 | index 0e0a22f..eaae1bb 100644 | ||
32 | --- a/hw/scsi/mptsas.c | ||
33 | +++ b/hw/scsi/mptsas.c | ||
34 | @@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, | ||
35 | goto bad; | ||
36 | } | ||
37 | |||
38 | - req = g_new(MPTSASRequest, 1); | ||
39 | + req = g_new0(MPTSASRequest, 1); | ||
40 | QTAILQ_INSERT_TAIL(&s->pending, req, next); | ||
41 | req->scsi_io = *scsi_io; | ||
42 | req->dev = s; | ||
43 | -- | ||
44 | 2.9.3 | ||
45 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch new file mode 100644 index 0000000000..05cc3d9d13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Backport patch to fix CVE-2016-7908 from: | ||
4 | |||
5 | http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8c | ||
6 | |||
7 | CVE: CVE-2016-7908 | ||
8 | |||
9 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
10 | --- | ||
11 | From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 | ||
12 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Date: Thu, 22 Sep 2016 16:02:37 +0530 | ||
14 | Subject: [PATCH] net: mcf: limit buffer descriptor count | ||
15 | |||
16 | ColdFire Fast Ethernet Controller uses buffer descriptors to manage | ||
17 | data flow to/fro receive & transmit queues. While transmitting | ||
18 | packets, it could continue to read buffer descriptors if a buffer | ||
19 | descriptor has length of zero and has crafted values in bd.flags. | ||
20 | Set upper limit to number of buffer descriptors. | ||
21 | |||
22 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
23 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
24 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
25 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
26 | --- | ||
27 | hw/net/mcf_fec.c | 5 +++-- | ||
28 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
29 | |||
30 | diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c | ||
31 | index 0ee8ad9..d31fea1 100644 | ||
32 | --- a/hw/net/mcf_fec.c | ||
33 | +++ b/hw/net/mcf_fec.c | ||
34 | @@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) | ||
35 | #define DPRINTF(fmt, ...) do {} while(0) | ||
36 | #endif | ||
37 | |||
38 | +#define FEC_MAX_DESC 1024 | ||
39 | #define FEC_MAX_FRAME_SIZE 2032 | ||
40 | |||
41 | typedef struct { | ||
42 | @@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) | ||
43 | uint32_t addr; | ||
44 | mcf_fec_bd bd; | ||
45 | int frame_size; | ||
46 | - int len; | ||
47 | + int len, descnt = 0; | ||
48 | uint8_t frame[FEC_MAX_FRAME_SIZE]; | ||
49 | uint8_t *ptr; | ||
50 | |||
51 | @@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) | ||
52 | ptr = frame; | ||
53 | frame_size = 0; | ||
54 | addr = s->tx_descriptor; | ||
55 | - while (1) { | ||
56 | + while (descnt++ < FEC_MAX_DESC) { | ||
57 | mcf_fec_read_bd(&bd, addr); | ||
58 | DPRINTF("tx_bd %x flags %04x len %d data %08x\n", | ||
59 | addr, bd.flags, bd.length, bd.data); | ||
60 | -- | ||
61 | 2.9.3 | ||
62 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb index 90e4eecb10..a75bcdfa0b 100644 --- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb | |||
@@ -10,6 +10,8 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
10 | file://pathlimit.patch \ | 10 | file://pathlimit.patch \ |
11 | file://qemu-2.5.0-cflags.patch \ | 11 | file://qemu-2.5.0-cflags.patch \ |
12 | file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \ | 12 | file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \ |
13 | file://0002-fix-CVE-2016-7423.patch \ | ||
14 | file://0003-fix-CVE-2016-7908.patch \ | ||
13 | " | 15 | " |
14 | 16 | ||
15 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 17 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |