2 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index dfe17eed8b..7f0b3a7a73 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -24,6 +24,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
           file://0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
           file://0013-target-arm-Fix-vector-operation-segfault.patch \
+           file://CVE-2019-12155.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
new file mode 100644
index 0000000000..c49a5e9a2a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
@@ -0,0 +1,35 @@
+From d52680fc932efb8a2f334cc6993e705ed1e31e99 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 25 Apr 2019 12:05:34 +0530
+Subject: [PATCH] qxl: check release info object
+When releasing spice resources in release_resource() routine,
+if release info object 'ext.info' is null, it leads to null
+pointer dereference. Add check to avoid it.
+Reported-by: Bugs SysSec <bugs-syssec@rub.de>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20190425063534.32747-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2019-12155
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ hw/display/qxl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index c8ce5781e03..632923add23 100644
+--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
+@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin,
+     QXLReleaseRing *ring;
+     uint64_t *item, id;
+ 
+    if (!ext.info) {
+        return;
+    }
+     if (ext.group_id == MEMSLOT_GROUP_HOST) {
+         /* host group -> vga mode update request */
+         QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index dfe17eed8b..7f0b3a7a73 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -24,6 +24,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
24	file://0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \	24	file://0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
25	file://0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \	25	file://0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
26	file://0013-target-arm-Fix-vector-operation-segfault.patch \	26	file://0013-target-arm-Fix-vector-operation-segfault.patch \
		27	file://CVE-2019-12155.patch \
27	"	28	"
28	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	29	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
29		30


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch new file mode 100644 index 0000000000..c49a5e9a2a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
@@ -0,0 +1,35 @@
		1	From d52680fc932efb8a2f334cc6993e705ed1e31e99 Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Thu, 25 Apr 2019 12:05:34 +0530
		4	Subject: [PATCH] qxl: check release info object
		5
		6	When releasing spice resources in release_resource() routine,
		7	if release info object 'ext.info' is null, it leads to null
		8	pointer dereference. Add check to avoid it.
		9
		10	Reported-by: Bugs SysSec <bugs-syssec@rub.de>
		11	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		12	Message-id: 20190425063534.32747-1-ppandit@redhat.com
		13	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2019-12155
		17	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		18	---
		19	hw/display/qxl.c \| 3 +++
		20	1 file changed, 3 insertions(+)
		21
		22	diff --git a/hw/display/qxl.c b/hw/display/qxl.c
		23	index c8ce5781e03..632923add23 100644
		24	--- a/hw/display/qxl.c
		25	+++ b/hw/display/qxl.c
		26	@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin,
		27	QXLReleaseRing *ring;
		28	uint64_t *item, id;
		29
		30	+ if (!ext.info) {
		31	+ return;
		32	+ }
		33	if (ext.group_id == MEMSLOT_GROUP_HOST) {
		34	/* host group -> vga mode update request */
		35	QXLCommandExt cmdext = (void )(intptr_t)(ext.info->id);