summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch52
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch70
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch51
-rw-r--r--meta/recipes-devtools/qemu/qemu_3.0.0.bb3
4 files changed, 176 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
new file mode 100644
index 0000000000..af40ff275a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
@@ -0,0 +1,52 @@
1From 06e88ca78d056ea4de885e3a1496805179dc47bc Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 15 Oct 2018 16:33:04 +0800
4Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive
5
6In ne2000_receive(), we try to assign size_ to size which converts
7from size_t to integer. This will cause troubles when size_ is greater
8INT_MAX, this will lead a negative value in size and it can then pass
9the check of size < MIN_BUF_SIZE which may lead out of bound access of
10for both buf and buf1.
11
12Fixing by converting the type of size to size_t.
13
14CC: address@hidden
15Reported-by: Daniel Shapira <address@hidden>
16Reviewed-by: Michael S. Tsirkin <address@hidden>
17Signed-off-by: Jason Wang <address@hidden>
18
19Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03273.html]
20
21CVE: CVE-2018-17958
22
23Signed-off-by: Changqing Li <changqing.li@windriver.com>
24---
25 hw/net/ne2000.c | 4 ++--
26 1 file changed, 2 insertions(+), 2 deletions(-)
27
28diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
29index 07d79e3..869518e 100644
30--- a/hw/net/ne2000.c
31+++ b/hw/net/ne2000.c
32@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s)
33 ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
34 {
35 NE2000State *s = qemu_get_nic_opaque(nc);
36- int size = size_;
37+ size_t size = size_;
38 uint8_t *p;
39 unsigned int total_len, next, avail, len, index, mcast_idx;
40 uint8_t buf1[60];
41@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
42 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
43
44 #if defined(DEBUG_NE2000)
45- printf("NE2000: received len=%d\n", size);
46+ printf("NE2000: received len=%zu\n", size);
47 #endif
48
49 if (s->cmd & E8390_STOP || ne2000_buffer_full(s))
50--
512.7.4
52
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch
new file mode 100644
index 0000000000..88bfd811ea
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch
@@ -0,0 +1,70 @@
1From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 15 Oct 2018 16:38:08 +0800
4Subject: [PATCH] rtl8139: fix possible out of bound access
5
6In rtl8139_do_receive(), we try to assign size_ to size which converts
7from size_t to integer. This will cause troubles when size_ is greater
8INT_MAX, this will lead a negative value in size and it can then pass
9the check of size < MIN_BUF_SIZE which may lead out of bound access of
10for both buf and buf1.
11
12Fixing by converting the type of size to size_t.
13
14CC: address@hidden
15Reported-by: Daniel Shapira <address@hidden>
16Reviewed-by: Michael S. Tsirkin <address@hidden>
17Signed-off-by: Jason Wang <address@hidden>
18
19Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html]
20
21CVE: CVE-2018-17962
22
23Signed-off-by: Changqing Li <changqing.li@windriver.com>
24---
25 hw/net/rtl8139.c | 8 ++++----
26 1 file changed, 4 insertions(+), 4 deletions(-)
27
28diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
29index 46daa16..2342a09 100644
30--- a/hw/net/rtl8139.c
31+++ b/hw/net/rtl8139.c
32@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
33 RTL8139State *s = qemu_get_nic_opaque(nc);
34 PCIDevice *d = PCI_DEVICE(s);
35 /* size is the length of the buffer passed to the driver */
36- int size = size_;
37+ size_t size = size_;
38 const uint8_t *dot1q_buf = NULL;
39
40 uint32_t packet_header = 0;
41@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
42 static const uint8_t broadcast_macaddr[6] =
43 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
44
45- DPRINTF(">>> received len=%d\n", size);
46+ DPRINTF(">>> received len=%zu\n", size);
47
48 /* test if board clock is stopped */
49 if (!s->clock_enabled)
50@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
51
52 if (size+4 > rx_space)
53 {
54- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
55+ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
56 descriptor, rx_space, size);
57
58 s->IntrStatus |= RxOverflow;
59@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
60 if (avail != 0 && RX_ALIGN(size + 8) >= avail)
61 {
62 DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
63- "read 0x%04x === available 0x%04x need 0x%04x\n",
64+ "read 0x%04x === available 0x%04x need 0x%04zx\n",
65 s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);
66
67 s->IntrStatus |= RxOverflow;
68--
692.7.4
70
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch
new file mode 100644
index 0000000000..054cdc8674
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch
@@ -0,0 +1,51 @@
1From e5ff72a8005dd1d9c0f63f8a9cc4298df5bb7551 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 15 Oct 2018 16:39:46 +0800
4Subject: [PATCH] pcnet: fix possible buffer overflow
5
6In pcnet_receive(), we try to assign size_ to size which converts from
7size_t to integer. This will cause troubles when size_ is greater
8INT_MAX, this will lead a negative value in size and it can then pass
9the check of size < MIN_BUF_SIZE which may lead out of bound access
10for both buf and buf1.
11
12Fixing by converting the type of size to size_t.
13
14CC: address@hidden
15Reported-by: Daniel Shapira <address@hidden>
16Reviewed-by: Michael S. Tsirkin <address@hidden>
17Signed-off-by: Jason Wang <address@hidden>
18
19Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03268.html]
20
21CVE: CVE-2018-17963
22
23Signed-off-by: Changqing Li <changqing.li@windriver.com>
24---
25 hw/net/pcnet.c | 4 ++--
26 1 file changed, 2 insertions(+), 2 deletions(-)
27
28diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
29index 0c44554..d9ba04b 100644
30--- a/hw/net/pcnet.c
31+++ b/hw/net/pcnet.c
32@@ -988,14 +988,14 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
33 uint8_t buf1[60];
34 int remaining;
35 int crc_err = 0;
36- int size = size_;
37+ size_t size = size_;
38
39 if (CSR_DRX(s) || CSR_STOP(s) || CSR_SPND(s) || !size ||
40 (CSR_LOOP(s) && !s->looptest)) {
41 return -1;
42 }
43 #ifdef PCNET_DEBUG
44- printf("pcnet_receive size=%d\n", size);
45+ printf("pcnet_receive size=%zu\n", size);
46 #endif
47
48 /* if too small buffer, then expand it */
49--
502.7.4
51
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 4569caec2f..776548b05a 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -22,6 +22,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
22 file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ 22 file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ 23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
24 file://CVE-2018-15746.patch \ 24 file://CVE-2018-15746.patch \
25 file://CVE-2018-17958.patch \
26 file://CVE-2018-17962.patch \
27 file://CVE-2018-17963.patch \
25 " 28 "
26UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 29UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
27 30