summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.8.0.bb1
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch
new file mode 100644
index 0000000000..e0f7a1a3fd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch
@@ -0,0 +1,44 @@
1From 7139ccbc907441337b4b59cde2c5b5a54cb5b2cc Mon Sep 17 00:00:00 2001
2From: Sona Sarmadi <sona.sarmadi@enea.com>
3
4virtio-gpu: fix information leak in capset get dispatch
5
6In virgl_cmd_get_capset function, it uses g_malloc to allocate
7a response struct to the guest. As the 'resp'struct hasn't been full
8initialized it will lead the 'resp->padding' field to the guest.
9Use g_malloc0 to avoid this.
10
11Signed-off-by: Li Qiang <liqiang6-s@360.cn>
12Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
13Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com
14
15[Sona: backported from master to v2.8.0 and resolved conflict]
16
17Reference to upstream patch:
18http://git.qemu-project.org/?p=qemu.git;a=commit;h=85d9d044471f93c48c5c396f7e217b4ef12f69f8
19
20CVE: CVE-2016-9908
21Upstream-Status: Backport
22
23Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 hw/display/virtio-gpu-3d.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
30index 23f39de..d98b140 100644
31--- a/hw/display/virtio-gpu-3d.c
32+++ b/hw/display/virtio-gpu-3d.c
33@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
34
35 virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
36 &max_size);
37- resp = g_malloc(sizeof(*resp) + max_size);
38+ resp = g_malloc0(sizeof(*resp) + max_size);
39
40 resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
41 virgl_renderer_fill_caps(gc.capset_id,
42--
431.9.1
44
diff --git a/meta/recipes-devtools/qemu/qemu_2.8.0.bb b/meta/recipes-devtools/qemu/qemu_2.8.0.bb
index e0527a8fd9..69d4f28b14 100644
--- a/meta/recipes-devtools/qemu/qemu_2.8.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.8.0.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
9 file://pathlimit.patch \ 9 file://pathlimit.patch \
10 file://qemu-2.5.0-cflags.patch \ 10 file://qemu-2.5.0-cflags.patch \
11 file://target-ppc-fix-user-mode.patch \ 11 file://target-ppc-fix-user-mode.patch \
12 file://CVE-2016-9908.patch \
12" 13"
13 14
14SRC_URI =+ "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 15SRC_URI =+ "http://wiki.qemu-project.org/download/${BP}.tar.bz2"