summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch45
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e0ea5ad477..7ce89c0023 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -47,6 +47,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
47 file://CVE-2020-15863.patch \ 47 file://CVE-2020-15863.patch \
48 file://CVE-2020-14364.patch \ 48 file://CVE-2020-14364.patch \
49 file://CVE-2020-14415.patch \ 49 file://CVE-2020-14415.patch \
50 file://CVE-2020-16092.patch \
50 " 51 "
51UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 52UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
52 53
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
new file mode 100644
index 0000000000..5085a28a4f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
@@ -0,0 +1,45 @@
1From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Sat, 1 Aug 2020 18:42:38 +0200
4Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
5 net_tx_pkt_add_raw_fragment()
6
7An assertion failure issue was found in the code that processes network packets
8while adding data fragments into the packet context. It could be abused by a
9malicious guest to abort the QEMU process on the host. This patch replaces the
10affected assert() with a conditional statement, returning false if the current
11data fragment exceeds max_raw_frags.
12
13Reported-by: Alexander Bulekov <alxndr@bu.edu>
14Reported-by: Ziming Zhang <ezrakiez@gmail.com>
15Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
16Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
17Signed-off-by: Jason Wang <jasowang@redhat.com>
18
19
20Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8]
21CVE: CVE-2020-16092
22Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
23---
24 hw/net/net_tx_pkt.c | 5 ++++-
25 1 file changed, 4 insertions(+), 1 deletion(-)
26
27diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
28index 9560e4a..da262ed 100644
29--- a/hw/net/net_tx_pkt.c
30+++ b/hw/net/net_tx_pkt.c
31@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
32 hwaddr mapped_len = 0;
33 struct iovec *ventry;
34 assert(pkt);
35- assert(pkt->max_raw_frags > pkt->raw_frags);
36+
37+ if (pkt->raw_frags >= pkt->max_raw_frags) {
38+ return false;
39+ }
40
41 if (!len) {
42 return true;
43--
441.8.3.1
45