diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch deleted file mode 100644 index 985b819409..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | CVE: CVE-2018-20124 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373] | ||
3 | |||
4 | Backport patch to fix CVE-2018-20124. Update context and stay with current | ||
5 | function comp_handler() which has been replaced with complete_work() in latest | ||
6 | git repo. | ||
7 | |||
8 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
9 | |||
10 | From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001 | ||
11 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | Date: Thu, 13 Dec 2018 01:00:34 +0530 | ||
13 | Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE | ||
14 | |||
15 | rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set | ||
16 | to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element | ||
17 | with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue. | ||
18 | Add check to avoid it. | ||
19 | |||
20 | Reported-by: Saar Amar <saaramar5@gmail.com> | ||
21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
22 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
23 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
24 | --- | ||
25 | hw/rdma/rdma_backend.c | 12 ++++++------ | ||
26 | 1 file changed, 6 insertions(+), 6 deletions(-) | ||
27 | |||
28 | diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c | ||
29 | index d7a4bbd9..7f8028f8 100644 | ||
30 | --- a/hw/rdma/rdma_backend.c | ||
31 | +++ b/hw/rdma/rdma_backend.c | ||
32 | @@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev, | ||
33 | } | ||
34 | |||
35 | pr_dbg("num_sge=%d\n", num_sge); | ||
36 | - if (!num_sge) { | ||
37 | - pr_dbg("num_sge=0\n"); | ||
38 | - comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
39 | + if (!num_sge || num_sge > MAX_SGE) { | ||
40 | + pr_dbg("invalid num_sge=%d\n", num_sge); | ||
41 | + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
42 | return; | ||
43 | } | ||
44 | |||
45 | @@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev, | ||
46 | } | ||
47 | |||
48 | pr_dbg("num_sge=%d\n", num_sge); | ||
49 | - if (!num_sge) { | ||
50 | - pr_dbg("num_sge=0\n"); | ||
51 | - comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
52 | + if (!num_sge || num_sge > MAX_SGE) { | ||
53 | + pr_dbg("invalid num_sge=%d\n", num_sge); | ||
54 | + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | -- | ||
59 | 2.20.1 | ||
60 | |||