summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch
new file mode 100644
index 0000000000..88bfd811ea
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch
@@ -0,0 +1,70 @@
1From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 15 Oct 2018 16:38:08 +0800
4Subject: [PATCH] rtl8139: fix possible out of bound access
5
6In rtl8139_do_receive(), we try to assign size_ to size which converts
7from size_t to integer. This will cause troubles when size_ is greater
8INT_MAX, this will lead a negative value in size and it can then pass
9the check of size < MIN_BUF_SIZE which may lead out of bound access of
10for both buf and buf1.
11
12Fixing by converting the type of size to size_t.
13
14CC: address@hidden
15Reported-by: Daniel Shapira <address@hidden>
16Reviewed-by: Michael S. Tsirkin <address@hidden>
17Signed-off-by: Jason Wang <address@hidden>
18
19Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html]
20
21CVE: CVE-2018-17962
22
23Signed-off-by: Changqing Li <changqing.li@windriver.com>
24---
25 hw/net/rtl8139.c | 8 ++++----
26 1 file changed, 4 insertions(+), 4 deletions(-)
27
28diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
29index 46daa16..2342a09 100644
30--- a/hw/net/rtl8139.c
31+++ b/hw/net/rtl8139.c
32@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
33 RTL8139State *s = qemu_get_nic_opaque(nc);
34 PCIDevice *d = PCI_DEVICE(s);
35 /* size is the length of the buffer passed to the driver */
36- int size = size_;
37+ size_t size = size_;
38 const uint8_t *dot1q_buf = NULL;
39
40 uint32_t packet_header = 0;
41@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
42 static const uint8_t broadcast_macaddr[6] =
43 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
44
45- DPRINTF(">>> received len=%d\n", size);
46+ DPRINTF(">>> received len=%zu\n", size);
47
48 /* test if board clock is stopped */
49 if (!s->clock_enabled)
50@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
51
52 if (size+4 > rx_space)
53 {
54- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
55+ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
56 descriptor, rx_space, size);
57
58 s->IntrStatus |= RxOverflow;
59@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
60 if (avail != 0 && RX_ALIGN(size + 8) >= avail)
61 {
62 DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
63- "read 0x%04x === available 0x%04x need 0x%04x\n",
64+ "read 0x%04x === available 0x%04x need 0x%04zx\n",
65 s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);
66
67 s->IntrStatus |= RxOverflow;
68--
692.7.4
70