diff options
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch | 61 |
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 126e7d442c..3e5006937b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 38 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ | 38 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ |
| 39 | file://CVE-2020-11102.patch \ | 39 | file://CVE-2020-11102.patch \ |
| 40 | file://CVE-2020-11869.patch \ | 40 | file://CVE-2020-11869.patch \ |
| 41 | file://CVE-2020-13361.patch \ | ||
| 41 | " | 42 | " |
| 42 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 43 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 43 | 44 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch new file mode 100644 index 0000000000..e0acc70f3c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch | |||
| @@ -0,0 +1,61 @@ | |||
| 1 | From 369ff955a8497988d079c4e3fa1e93c2570c1c69 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 3 | Date: Fri, 15 May 2020 01:36:08 +0530 | ||
| 4 | Subject: [PATCH] es1370: check total frame count against current frame | ||
| 5 | |||
| 6 | A guest user may set channel frame count via es1370_write() | ||
| 7 | such that, in es1370_transfer_audio(), total frame count | ||
| 8 | 'size' is lesser than the number of frames that are processed | ||
| 9 | 'cnt'. | ||
| 10 | |||
| 11 | int cnt = d->frame_cnt >> 16; | ||
| 12 | int size = d->frame_cnt & 0xffff; | ||
| 13 | |||
| 14 | if (size < cnt), it results in incorrect calculations leading | ||
| 15 | to OOB access issue(s). Add check to avoid it. | ||
| 16 | |||
| 17 | Reported-by: Ren Ding <rding@gatech.edu> | ||
| 18 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
| 19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 20 | Message-id: 20200514200608.1744203-1-ppandit@redhat.com | ||
| 21 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 22 | |||
| 23 | Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html] | ||
| 24 | CVE: CVE-2020-13361 | ||
| 25 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
| 26 | --- | ||
| 27 | hw/audio/es1370.c | 7 +++++-- | ||
| 28 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
| 29 | |||
| 30 | diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c | ||
| 31 | index 89c4dabcd44..5f8a83ff562 100644 | ||
| 32 | --- a/hw/audio/es1370.c | ||
| 33 | +++ b/hw/audio/es1370.c | ||
| 34 | @@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
| 35 | int csc_bytes = (csc + 1) << d->shift; | ||
| 36 | int cnt = d->frame_cnt >> 16; | ||
| 37 | int size = d->frame_cnt & 0xffff; | ||
| 38 | + if (size < cnt) { | ||
| 39 | + return; | ||
| 40 | + } | ||
| 41 | int left = ((size - cnt + 1) << 2) + d->leftover; | ||
| 42 | int transferred = 0; | ||
| 43 | int temp = MIN (max, MIN (left, csc_bytes)); | ||
| 44 | @@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
| 45 | addr += (cnt << 2) + d->leftover; | ||
| 46 | |||
| 47 | if (index == ADC_CHANNEL) { | ||
| 48 | - while (temp) { | ||
| 49 | + while (temp > 0) { | ||
| 50 | int acquired, to_copy; | ||
| 51 | |||
| 52 | to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); | ||
| 53 | @@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
| 54 | else { | ||
| 55 | SWVoiceOut *voice = s->dac_voice[index]; | ||
| 56 | |||
| 57 | - while (temp) { | ||
| 58 | + while (temp > 0) { | ||
| 59 | int copied, to_copy; | ||
| 60 | |||
| 61 | to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); | ||