1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch
new file mode 100644
index 0000000000..88bfd811ea
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch
@@ -0,0 +1,70 @@
+From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 15 Oct 2018 16:38:08 +0800
+Subject: [PATCH] rtl8139: fix possible out of bound access
+In rtl8139_do_receive(), we try to assign size_ to size which converts
+from size_t to integer. This will cause troubles when size_ is greater
+INT_MAX, this will lead a negative value in size and it can then pass
+the check of size < MIN_BUF_SIZE which may lead out of bound access of
+for both buf and buf1.
+Fixing by converting the type of size to size_t.
+CC: address@hidden
+Reported-by: Daniel Shapira <address@hidden>
+Reviewed-by: Michael S. Tsirkin <address@hidden>
+Signed-off-by: Jason Wang <address@hidden>
+Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html]
+CVE: CVE-2018-17962
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ hw/net/rtl8139.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 46daa16..2342a09 100644
+--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
+@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
+     RTL8139State *s = qemu_get_nic_opaque(nc);
+     PCIDevice *d = PCI_DEVICE(s);
+     /* size is the length of the buffer passed to the driver */
+-    int size = size_;
+    size_t size = size_;
+     const uint8_t *dot1q_buf = NULL;
+ 
+     uint32_t packet_header = 0;
+@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
+     static const uint8_t broadcast_macaddr[6] =
+         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+ 
+-    DPRINTF(">>> received len=%d\n", size);
+    DPRINTF(">>> received len=%zu\n", size);
+ 
+     /* test if board clock is stopped */
+     if (!s->clock_enabled)
+@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
+ 
+         if (size+4 > rx_space)
+         {
+-            DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
+            DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
+                 descriptor, rx_space, size);
+ 
+             s->IntrStatus |= RxOverflow;
+@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
+         if (avail != 0 && RX_ALIGN(size + 8) >= avail)
+         {
+             DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
+-                "read 0x%04x === available 0x%04x need 0x%04x\n",
+                "read 0x%04x === available 0x%04x need 0x%04zx\n",
+                 s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);
+ 
+             s->IntrStatus |= RxOverflow;
+-- 
+2.7.4

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch new file mode 100644 index 0000000000..88bfd811ea --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch
@@ -0,0 +1,70 @@
	1	From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Mon, 15 Oct 2018 16:38:08 +0800
	4	Subject: [PATCH] rtl8139: fix possible out of bound access
	5
	6	In rtl8139_do_receive(), we try to assign size_ to size which converts
	7	from size_t to integer. This will cause troubles when size_ is greater
	8	INT_MAX, this will lead a negative value in size and it can then pass
	9	the check of size < MIN_BUF_SIZE which may lead out of bound access of
	10	for both buf and buf1.
	11
	12	Fixing by converting the type of size to size_t.
	13
	14	CC: address@hidden
	15	Reported-by: Daniel Shapira <address@hidden>
	16	Reviewed-by: Michael S. Tsirkin <address@hidden>
	17	Signed-off-by: Jason Wang <address@hidden>
	18
	19	Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html]
	20
	21	CVE: CVE-2018-17962
	22
	23	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	24	---
	25	hw/net/rtl8139.c \| 8 ++++----
	26	1 file changed, 4 insertions(+), 4 deletions(-)
	27
	28	diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
	29	index 46daa16..2342a09 100644
	30	--- a/hw/net/rtl8139.c
	31	+++ b/hw/net/rtl8139.c
	32	@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
	33	RTL8139State *s = qemu_get_nic_opaque(nc);
	34	PCIDevice *d = PCI_DEVICE(s);
	35	/* size is the length of the buffer passed to the driver */
	36	- int size = size_;
	37	+ size_t size = size_;
	38	const uint8_t *dot1q_buf = NULL;
	39
	40	uint32_t packet_header = 0;
	41	@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
	42	static const uint8_t broadcast_macaddr[6] =
	43	{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
	44
	45	- DPRINTF(">>> received len=%d\n", size);
	46	+ DPRINTF(">>> received len=%zu\n", size);
	47
	48	/* test if board clock is stopped */
	49	if (!s->clock_enabled)
	50	@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
	51
	52	if (size+4 > rx_space)
	53	{
	54	- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
	55	+ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
	56	descriptor, rx_space, size);
	57
	58	s->IntrStatus \|= RxOverflow;
	59	@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
	60	if (avail != 0 && RX_ALIGN(size + 8) >= avail)
	61	{
	62	DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
	63	- "read 0x%04x === available 0x%04x need 0x%04x\n",
	64	+ "read 0x%04x === available 0x%04x need 0x%04zx\n",
	65	s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);
	66
	67	s->IntrStatus \|= RxOverflow;
	68	--
	69	2.7.4
	70