summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch55
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index d41cc8f200..98bdff7ac6 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -32,6 +32,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
32 file://CVE-2020-13361.patch \ 32 file://CVE-2020-13361.patch \
33 file://find_datadir.patch \ 33 file://find_datadir.patch \
34 file://CVE-2020-10761.patch \ 34 file://CVE-2020-10761.patch \
35 file://CVE-2020-13362.patch \
35 " 36 "
36UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 37UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
37 38
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch
new file mode 100644
index 0000000000..af8d4ba8f4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch
@@ -0,0 +1,55 @@
1From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 14 May 2020 00:55:38 +0530
4Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check
5 index
6
7A guest user may set 'reply_queue_head' field of MegasasState to
8a negative value. Later in 'megasas_lookup_frame' it is used to
9index into s->frames[] array. Use unsigned type to avoid OOB
10access issue.
11
12Also check that 'index' value stays within s->frames[] bounds
13through the while() loop in 'megasas_lookup_frame' to avoid OOB
14access.
15
16Reported-by: Ren Ding <rding@gatech.edu>
17Reported-by: Hanqing Zhao <hanqing@gatech.edu>
18Reported-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
20Acked-by: Alexander Bulekov <alxndr@bu.edu>
21Message-Id: <20200513192540.1583887-2-ppandit@redhat.com>
22Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
23
24Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661]
25CVE: CVE-2020-13362
26Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
27---
28 hw/scsi/megasas.c | 4 ++--
29 1 file changed, 2 insertions(+), 2 deletions(-)
30
31diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
32index af18c88b65..6ce598cd69 100644
33--- a/hw/scsi/megasas.c
34+++ b/hw/scsi/megasas.c
35@@ -112,7 +112,7 @@ typedef struct MegasasState {
36 uint64_t reply_queue_pa;
37 void *reply_queue;
38 int reply_queue_len;
39- int reply_queue_head;
40+ uint16_t reply_queue_head;
41 int reply_queue_tail;
42 uint64_t consumer_pa;
43 uint64_t producer_pa;
44@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s,
45
46 index = s->reply_queue_head;
47
48- while (num < s->fw_cmds) {
49+ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) {
50 if (s->frames[index].pa && s->frames[index].pa == frame) {
51 cmd = &s->frames[index];
52 break;
53--
542.20.1
55