diff options
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch | 46 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.4.0.bb | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch new file mode 100644 index 0000000000..5d3b9a92d5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 0a5e3685ea10c578f8063ca0dbb009af45693d85 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 19 May 2016 16:09:30 +0530 | ||
4 | Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439) | ||
5 | |||
6 | The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte | ||
7 | FIFO buffer. It is used to handle command and data transfer. While | ||
8 | writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check | ||
9 | was missing to validate input length. Add check to avoid OOB write | ||
10 | access. | ||
11 | |||
12 | Fixes CVE-2016-4439. | ||
13 | |||
14 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
15 | Cc: qemu-stable@nongnu.org | ||
16 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
17 | Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> | ||
18 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
19 | (cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef) | ||
20 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | CVE: CVE-2016-4439 | ||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | hw/scsi/esp.c | 6 +++++- | ||
28 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
29 | |||
30 | Index: qemu-2.4.0/hw/scsi/esp.c | ||
31 | =================================================================== | ||
32 | --- qemu-2.4.0.orig/hw/scsi/esp.c | ||
33 | +++ qemu-2.4.0/hw/scsi/esp.c | ||
34 | @@ -446,7 +446,11 @@ void esp_reg_write(ESPState *s, uint32_t | ||
35 | break; | ||
36 | case ESP_FIFO: | ||
37 | if (s->do_cmd) { | ||
38 | - s->cmdbuf[s->cmdlen++] = val & 0xff; | ||
39 | + if (s->cmdlen < TI_BUFSZ) { | ||
40 | + s->cmdbuf[s->cmdlen++] = val & 0xff; | ||
41 | + } else { | ||
42 | + trace_esp_error_fifo_overrun(); | ||
43 | + } | ||
44 | } else if (s->ti_size == TI_BUFSZ - 1) { | ||
45 | trace_esp_error_fifo_overrun(); | ||
46 | } else { | ||
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb index 85dd39eccb..4eb4bcce87 100644 --- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb | |||
@@ -25,6 +25,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
25 | file://CVE-2016-3712_p2.patch \ | 25 | file://CVE-2016-3712_p2.patch \ |
26 | file://CVE-2016-3712_p3.patch \ | 26 | file://CVE-2016-3712_p3.patch \ |
27 | file://CVE-2016-3712_p4.patch \ | 27 | file://CVE-2016-3712_p4.patch \ |
28 | file://CVE-2016-4439.patch \ | ||
28 | " | 29 | " |
29 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 30 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
30 | SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" | 31 | SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" |