diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch new file mode 100644 index 0000000000..d01e874473 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001 | ||
2 | From: Markus Armbruster <armbru@redhat.com> | ||
3 | Date: Tue, 9 Apr 2019 19:40:18 +0200 | ||
4 | Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree() | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the | ||
10 | computation of @dt_size overflows to a negative number, which then | ||
11 | gets converted to a very large size_t for g_malloc0() and | ||
12 | load_image_size(). In the (fortunately improbable) case g_malloc0() | ||
13 | succeeds and load_image_size() survives, we'd assign the negative | ||
14 | number to *sizep. What that would do to the callers I can't say, but | ||
15 | it's unlikely to be good. | ||
16 | |||
17 | Fix by rejecting images whose size would overflow. | ||
18 | |||
19 | Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com> | ||
20 | Signed-off-by: Markus Armbruster <armbru@redhat.com> | ||
21 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
22 | Signed-off-by: Alistair Francis <alistair.francis@wdc.com> | ||
23 | Message-Id: <20190409174018.25798-1-armbru@redhat.com> | ||
24 | |||
25 | Upstream-Status: Backport | ||
26 | CVE: CVE-2018-20815 | ||
27 | affects <= 3.0.1 | ||
28 | |||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | device_tree.c | 4 ++++ | ||
33 | 1 file changed, 4 insertions(+) | ||
34 | |||
35 | diff --git a/device_tree.c b/device_tree.c | ||
36 | index 296278e..f8b46b3 100644 | ||
37 | --- a/device_tree.c | ||
38 | +++ b/device_tree.c | ||
39 | @@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep) | ||
40 | filename_path); | ||
41 | goto fail; | ||
42 | } | ||
43 | + if (dt_size > INT_MAX / 2 - 10000) { | ||
44 | + error_report("Device tree file '%s' is too large", filename_path); | ||
45 | + goto fail; | ||
46 | + } | ||
47 | |||
48 | /* Expand to 2x size to give enough room for manipulation. */ | ||
49 | dt_size += 10000; | ||
50 | -- | ||
51 | 2.7.4 | ||
52 | |||