1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
new file mode 100644
index 0000000000..d01e874473
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
@@ -0,0 +1,52 @@
+From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Tue, 9 Apr 2019 19:40:18 +0200
+Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
+computation of @dt_size overflows to a negative number, which then
+gets converted to a very large size_t for g_malloc0() and
+load_image_size().  In the (fortunately improbable) case g_malloc0()
+succeeds and load_image_size() survives, we'd assign the negative
+number to *sizep.  What that would do to the callers I can't say, but
+it's unlikely to be good.
+Fix by rejecting images whose size would overflow.
+Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com>
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20190409174018.25798-1-armbru@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2018-20815
+affects <= 3.0.1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ device_tree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/device_tree.c b/device_tree.c
+index 296278e..f8b46b3 100644
+--- a/device_tree.c
+++ b/device_tree.c
+@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
+                      filename_path);
+         goto fail;
+     }
+    if (dt_size > INT_MAX / 2 - 10000) {
+        error_report("Device tree file '%s' is too large", filename_path);
+        goto fail;
+    }
+ 
+     /* Expand to 2x size to give enough room for manipulation.  */
+     dt_size += 10000;
+-- 
+2.7.4

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch new file mode 100644 index 0000000000..d01e874473 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
@@ -0,0 +1,52 @@
	1	From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001
	2	From: Markus Armbruster <armbru@redhat.com>
	3	Date: Tue, 9 Apr 2019 19:40:18 +0200
	4	Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree()
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
	10	computation of @dt_size overflows to a negative number, which then
	11	gets converted to a very large size_t for g_malloc0() and
	12	load_image_size(). In the (fortunately improbable) case g_malloc0()
	13	succeeds and load_image_size() survives, we'd assign the negative
	14	number to *sizep. What that would do to the callers I can't say, but
	15	it's unlikely to be good.
	16
	17	Fix by rejecting images whose size would overflow.
	18
	19	Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com>
	20	Signed-off-by: Markus Armbruster <armbru@redhat.com>
	21	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	22	Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
	23	Message-Id: <20190409174018.25798-1-armbru@redhat.com>
	24
	25	Upstream-Status: Backport
	26	CVE: CVE-2018-20815
	27	affects <= 3.0.1
	28
	29	Signed-off-by: Armin Kuster <akuster@mvista.com>
	30
	31	---
	32	device_tree.c \| 4 ++++
	33	1 file changed, 4 insertions(+)
	34
	35	diff --git a/device_tree.c b/device_tree.c
	36	index 296278e..f8b46b3 100644
	37	--- a/device_tree.c
	38	+++ b/device_tree.c
	39	@@ -84,6 +84,10 @@ void load_device_tree(const char filename_path, int *sizep)
	40	filename_path);
	41	goto fail;
	42	}
	43	+ if (dt_size > INT_MAX / 2 - 10000) {
	44	+ error_report("Device tree file '%s' is too large", filename_path);
	45	+ goto fail;
	46	+ }
	47
	48	/* Expand to 2x size to give enough room for manipulation. */
	49	dt_size += 10000;
	50	--
	51	2.7.4
	52