diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch new file mode 100644 index 0000000000..b632512e8b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Sat, 27 Oct 2018 01:13:14 +0530 | ||
4 | Subject: [PATCH] lsi53c895a: check message length value is valid | ||
5 | |||
6 | While writing a message in 'lsi_do_msgin', message length value | ||
7 | in 'msg_len' could be invalid due to an invalid migration stream. | ||
8 | Add an assertion to avoid an out of bounds access, and reject | ||
9 | the incoming migration data if it contains an invalid message | ||
10 | length. | ||
11 | |||
12 | Discovered by Deja vu Security. Reported by Oracle. | ||
13 | |||
14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
15 | Message-Id: <20181026194314.18663-1-ppandit@redhat.com> | ||
16 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
17 | (cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6) | ||
18 | *CVE-2018-18849 | ||
19 | *avoid context dep. on c921370b22c | ||
20 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | Affects: < 3.1.0 | ||
24 | CVE: CVE-2018-18849 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- | ||
29 | 1 file changed, 17 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c | ||
32 | index 160657f..3758635 100644 | ||
33 | --- a/hw/scsi/lsi53c895a.c | ||
34 | +++ b/hw/scsi/lsi53c895a.c | ||
35 | @@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s) | ||
36 | |||
37 | static void lsi_do_msgin(LSIState *s) | ||
38 | { | ||
39 | - int len; | ||
40 | + uint8_t len; | ||
41 | DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len); | ||
42 | s->sfbr = s->msg[0]; | ||
43 | len = s->msg_len; | ||
44 | + assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); | ||
45 | if (len > s->dbc) | ||
46 | len = s->dbc; | ||
47 | pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); | ||
48 | @@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset) | ||
49 | break; | ||
50 | case 0x58: /* SBDL */ | ||
51 | /* Some drivers peek at the data bus during the MSG IN phase. */ | ||
52 | - if ((s->sstat1 & PHASE_MASK) == PHASE_MI) | ||
53 | + if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { | ||
54 | + assert(s->msg_len > 0); | ||
55 | return s->msg[0]; | ||
56 | + } | ||
57 | ret = 0; | ||
58 | break; | ||
59 | case 0x59: /* SBDL high */ | ||
60 | @@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque) | ||
61 | return 0; | ||
62 | } | ||
63 | |||
64 | +static int lsi_post_load(void *opaque, int version_id) | ||
65 | +{ | ||
66 | + LSIState *s = opaque; | ||
67 | + | ||
68 | + if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { | ||
69 | + return -EINVAL; | ||
70 | + } | ||
71 | + | ||
72 | + return 0; | ||
73 | +} | ||
74 | + | ||
75 | static const VMStateDescription vmstate_lsi_scsi = { | ||
76 | .name = "lsiscsi", | ||
77 | .version_id = 0, | ||
78 | .minimum_version_id = 0, | ||
79 | .pre_save = lsi_pre_save, | ||
80 | + .post_load = lsi_post_load, | ||
81 | .fields = (VMStateField[]) { | ||
82 | VMSTATE_PCI_DEVICE(parent_obj, LSIState), | ||
83 | |||
84 | -- | ||
85 | 2.7.4 | ||
86 | |||