diff options
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch | 64 |
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 702a817988..012be74855 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -41,6 +41,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
41 | file://CVE-2020-10702.patch \ | 41 | file://CVE-2020-10702.patch \ |
42 | file://CVE-2020-16092.patch \ | 42 | file://CVE-2020-16092.patch \ |
43 | file://CVE-2020-10756.patch \ | 43 | file://CVE-2020-10756.patch \ |
44 | file://CVE-2020-15863.patch \ | ||
44 | " | 45 | " |
45 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 46 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
46 | 47 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..9927584d11 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Fri, 10 Jul 2020 11:19:41 +0200 | ||
4 | Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() | ||
5 | |||
6 | A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It | ||
7 | occurs while sending an Ethernet frame due to missing break statements | ||
8 | and improper checking of the buffer size. | ||
9 | |||
10 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
11 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
12 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | CVE: CVE-2020-15863 | ||
16 | Upstream-Status: Backport | ||
17 | [https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
20 | --- | ||
21 | hw/net/xgmac.c | 14 ++++++++++++-- | ||
22 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c | ||
25 | index f49df95..f496f7e 100644 | ||
26 | --- a/hw/net/xgmac.c | ||
27 | +++ b/hw/net/xgmac.c | ||
28 | @@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s) | ||
29 | } | ||
30 | len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); | ||
31 | |||
32 | + /* | ||
33 | + * FIXME: these cases of malformed tx descriptors (bad sizes) | ||
34 | + * should probably be reported back to the guest somehow | ||
35 | + * rather than simply silently stopping processing, but we | ||
36 | + * don't know what the hardware does in this situation. | ||
37 | + * This will only happen for buggy guests anyway. | ||
38 | + */ | ||
39 | if ((bd.buffer1_size & 0xfff) > 2048) { | ||
40 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
41 | "xgmac buffer 1 len on send > 2048 (0x%x)\n", | ||
42 | __func__, bd.buffer1_size & 0xfff); | ||
43 | + break; | ||
44 | } | ||
45 | if ((bd.buffer2_size & 0xfff) != 0) { | ||
46 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
47 | "xgmac buffer 2 len on send != 0 (0x%x)\n", | ||
48 | __func__, bd.buffer2_size & 0xfff); | ||
49 | + break; | ||
50 | } | ||
51 | - if (len >= sizeof(frame)) { | ||
52 | + if (frame_size + len >= sizeof(frame)) { | ||
53 | DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " | ||
54 | - "buffer\n" , __func__, len, sizeof(frame)); | ||
55 | + "buffer\n" , __func__, frame_size + len, sizeof(frame)); | ||
56 | DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", | ||
57 | __func__, bd.buffer1_size, bd.buffer2_size); | ||
58 | + break; | ||
59 | } | ||
60 | |||
61 | cpu_physical_memory_read(bd.buffer1_addr, ptr, len); | ||
62 | -- | ||
63 | 1.9.1 | ||
64 | |||