1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch
new file mode 100644
index 0000000000..969ad877d6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch
@@ -0,0 +1,70 @@
+From ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 7 Sep 2017 12:02:56 +0530
+Subject: [PATCH] multiboot: validate multiboot header address values
+While loading kernel via multiboot-v1 image, (flags & 0x00010000)
+indicates that multiboot header contains valid addresses to load
+the kernel image. These addresses are used to compute kernel
+size and kernel text offset in the OS image. Validate these
+address values to avoid an OOB access issue.
+This is CVE-2017-14167.
+Reported-by: Thomas Garnier <thgarnie@google.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20170907063256.7418-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb]
+CVE: CVE-2017-14167
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ hw/i386/multiboot.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
+index 6001f4c..c7b70c9 100644
+--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
+@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
+         uint32_t mh_header_addr = ldl_p(header+i+12);
+         uint32_t mh_load_end_addr = ldl_p(header+i+20);
+         uint32_t mh_bss_end_addr = ldl_p(header+i+24);
+
+         mh_load_addr = ldl_p(header+i+16);
+        if (mh_header_addr < mh_load_addr) {
+            fprintf(stderr, "invalid mh_load_addr address\n");
+            exit(1);
+        }
+
+         uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
+         uint32_t mb_load_size = 0;
+         mh_entry_addr = ldl_p(header+i+28);
+ 
+         if (mh_load_end_addr) {
+            if (mh_bss_end_addr < mh_load_addr) {
+                fprintf(stderr, "invalid mh_bss_end_addr address\n");
+                exit(1);
+            }
+             mb_kernel_size = mh_bss_end_addr - mh_load_addr;
+
+            if (mh_load_end_addr < mh_load_addr) {
+                fprintf(stderr, "invalid mh_load_end_addr address\n");
+                exit(1);
+            }
+             mb_load_size = mh_load_end_addr - mh_load_addr;
+         } else {
+            if (kernel_file_size < mb_kernel_text_offset) {
+                fprintf(stderr, "invalid kernel_file_size\n");
+                exit(1);
+            }
+             mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
+             mb_load_size = mb_kernel_size;
+         }
+-- 
+2.7.4

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch new file mode 100644 index 0000000000..969ad877d6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch
@@ -0,0 +1,70 @@
	1	From ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Thu, 7 Sep 2017 12:02:56 +0530
	4	Subject: [PATCH] multiboot: validate multiboot header address values
	5
	6	While loading kernel via multiboot-v1 image, (flags & 0x00010000)
	7	indicates that multiboot header contains valid addresses to load
	8	the kernel image. These addresses are used to compute kernel
	9	size and kernel text offset in the OS image. Validate these
	10	address values to avoid an OOB access issue.
	11
	12	This is CVE-2017-14167.
	13
	14	Reported-by: Thomas Garnier <thgarnie@google.com>
	15	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	16	Message-Id: <20170907063256.7418-1-ppandit@redhat.com>
	17	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	18
	19	Upstream-Status: Backport
	20	[https://git.qemu.org/?p=qemu.git;a=commit;h=ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb]
	21
	22	CVE: CVE-2017-14167
	23
	24	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	25	---
	26	hw/i386/multiboot.c \| 19 +++++++++++++++++++
	27	1 file changed, 19 insertions(+)
	28
	29	diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
	30	index 6001f4c..c7b70c9 100644
	31	--- a/hw/i386/multiboot.c
	32	+++ b/hw/i386/multiboot.c
	33	@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
	34	uint32_t mh_header_addr = ldl_p(header+i+12);
	35	uint32_t mh_load_end_addr = ldl_p(header+i+20);
	36	uint32_t mh_bss_end_addr = ldl_p(header+i+24);
	37	+
	38	mh_load_addr = ldl_p(header+i+16);
	39	+ if (mh_header_addr < mh_load_addr) {
	40	+ fprintf(stderr, "invalid mh_load_addr address\n");
	41	+ exit(1);
	42	+ }
	43	+
	44	uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
	45	uint32_t mb_load_size = 0;
	46	mh_entry_addr = ldl_p(header+i+28);
	47
	48	if (mh_load_end_addr) {
	49	+ if (mh_bss_end_addr < mh_load_addr) {
	50	+ fprintf(stderr, "invalid mh_bss_end_addr address\n");
	51	+ exit(1);
	52	+ }
	53	mb_kernel_size = mh_bss_end_addr - mh_load_addr;
	54	+
	55	+ if (mh_load_end_addr < mh_load_addr) {
	56	+ fprintf(stderr, "invalid mh_load_end_addr address\n");
	57	+ exit(1);
	58	+ }
	59	mb_load_size = mh_load_end_addr - mh_load_addr;
	60	} else {
	61	+ if (kernel_file_size < mb_kernel_text_offset) {
	62	+ fprintf(stderr, "invalid kernel_file_size\n");
	63	+ exit(1);
	64	+ }
	65	mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
	66	mb_load_size = mb_kernel_size;
	67	}
	68	--
	69	2.7.4
	70