diff options
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch | 42 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch | 59 |
3 files changed, 103 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5f7d82dfed..a22721004e 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -64,6 +64,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
64 | file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \ | 64 | file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \ |
65 | file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \ | 65 | file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \ |
66 | file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \ | 66 | file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \ |
67 | file://CVE-2021-3527-1.patch \ | ||
68 | file://CVE-2021-3527-2.patch \ | ||
67 | " | 69 | " |
68 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 70 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
69 | 71 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch new file mode 100644 index 0000000000..77a5385692 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Mon, 3 May 2021 15:29:15 +0200 | ||
4 | Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) | ||
5 | |||
6 | usb-host and usb-redirect try to batch bulk transfers by combining many | ||
7 | small usb packets into a single, large transfer request, to reduce the | ||
8 | overhead and improve performance. | ||
9 | |||
10 | This patch adds a size limit of 1 MiB for those combined packets to | ||
11 | restrict the host resources the guest can bind that way. | ||
12 | |||
13 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
14 | Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c | ||
18 | CVE: CVE-2021-3527 | ||
19 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
20 | |||
21 | --- | ||
22 | hw/usb/combined-packet.c | 4 +++- | ||
23 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c | ||
26 | index 5d57e883dc..e56802f89a 100644 | ||
27 | --- a/hw/usb/combined-packet.c | ||
28 | +++ b/hw/usb/combined-packet.c | ||
29 | @@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) | ||
30 | if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || | ||
31 | next == NULL || | ||
32 | /* Work around for Linux usbfs bulk splitting + migration */ | ||
33 | - (totalsize == (16 * KiB - 36) && p->int_req)) { | ||
34 | + (totalsize == (16 * KiB - 36) && p->int_req) || | ||
35 | + /* Next package may grow combined package over 1MiB */ | ||
36 | + totalsize > 1 * MiB - ep->max_packet_size) { | ||
37 | usb_device_handle_data(ep->dev, first); | ||
38 | assert(first->status == USB_RET_ASYNC); | ||
39 | if (first->combined) { | ||
40 | -- | ||
41 | GitLab | ||
42 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch new file mode 100644 index 0000000000..6371aced12 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Mon, 3 May 2021 15:29:12 +0200 | ||
4 | Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Use autofree heap allocation instead. | ||
10 | |||
11 | Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") | ||
12 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
13 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
14 | Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
15 | Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 | ||
19 | CVE: CVE-2021-3527 | ||
20 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
21 | |||
22 | --- | ||
23 | hw/usb/redirect.c | 6 +++--- | ||
24 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
25 | |||
26 | diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c | ||
27 | index 17f06f3417..6a75b0dc4a 100644 | ||
28 | --- a/hw/usb/redirect.c | ||
29 | +++ b/hw/usb/redirect.c | ||
30 | @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, | ||
31 | .endpoint = ep, | ||
32 | .length = p->iov.size | ||
33 | }; | ||
34 | - uint8_t buf[p->iov.size]; | ||
35 | + g_autofree uint8_t *buf = g_malloc(p->iov.size); | ||
36 | /* No id, we look at the ep when receiving a status back */ | ||
37 | usb_packet_copy(p, buf, p->iov.size); | ||
38 | usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, | ||
39 | @@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, | ||
40 | usbredirparser_send_bulk_packet(dev->parser, p->id, | ||
41 | &bulk_packet, NULL, 0); | ||
42 | } else { | ||
43 | - uint8_t buf[size]; | ||
44 | + g_autofree uint8_t *buf = g_malloc(size); | ||
45 | usb_packet_copy(p, buf, size); | ||
46 | usbredir_log_data(dev, "bulk data out:", buf, size); | ||
47 | usbredirparser_send_bulk_packet(dev->parser, p->id, | ||
48 | @@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, | ||
49 | USBPacket *p, uint8_t ep) | ||
50 | { | ||
51 | struct usb_redir_interrupt_packet_header interrupt_packet; | ||
52 | - uint8_t buf[p->iov.size]; | ||
53 | + g_autofree uint8_t *buf = g_malloc(p->iov.size); | ||
54 | |||
55 | DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, | ||
56 | p->iov.size, p->id); | ||
57 | -- | ||
58 | GitLab | ||
59 | |||