4 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e6dbc6d05a..3ce14d9fa0 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -30,6 +30,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \
           file://CVE-2019-15890.patch \
           file://CVE-2020-1711.patch \
+           file://CVE-2020-7039-1.patch \
+           file://CVE-2020-7039-2.patch \
+           file://CVE-2020-7039-3.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
new file mode 100644
index 0000000000..df6bca6db6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
@@ -0,0 +1,44 @@
+From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:07:35 +0800
+Subject: [PATCH] tcp_emu: Fix oob access
+The main loop only checks for one available byte, while we sometimes
+need two bytes.
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index d6dd133..4bea2d4 100644
+--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
+@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 break;
+ 
+             case 5:
+                if (bptr == m->m_data + m->m_len - 1)
+                        return 1; /* We need two bytes */
+                 /*
+                  * The difference between versions 1.0 and
+                  * 2.0 is here. For future versions of
+@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 /* This is the field containing the port
+                  * number that RA-player is listening to.
+                  */
+
+                if (bptr == m->m_data + m->m_len - 1)
+                        return 1; /* We need two bytes */
+
+                 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
+                 if (lport < 6970)
+                     lport += 256; /* don't know why */
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
new file mode 100644
index 0000000000..4a00fa2afd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
@@ -0,0 +1,59 @@
+From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:10:34 +0800
+Subject: [PATCH] slirp: use correct size while emulating commands
+While emulating services in tcp_emu(), it uses 'mbuf' size
+'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+size to avoid possible OOB access.
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault's avatarSamuel Thibault
+<samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index 4bea2d4..e8ed4ef 100644
+--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
+@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+             n4 = (laddr & 0xff);
+ 
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len += snprintf(bptr, m->m_size - m->m_len,
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                  "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
+                                  n5, n6, x == 7 ? buff : "");
+             return 1;
+@@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+             n4 = (laddr & 0xff);
+ 
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len +=
+-                snprintf(bptr, m->m_size - m->m_len,
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                          "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+                          n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
+ 
+@@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+         if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
+             (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+                              htons(lport), SS_FACCEPTONCE)) != NULL)
+-            m->m_len =
+-                snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
+            m->m_len = snprintf(m->m_data, M_ROOM(m),
+                                "%d", ntohs(so->so_fport)) + 1;
+         return 1;
+ 
+     case EMU_IRC:
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
new file mode 100644
index 0000000000..70ce480d80
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
@@ -0,0 +1,64 @@
+From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:15:04 +0800
+Subject: [PATCH] slirp: use correct size while emulating IRC commands
+While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+'m->m_size' to write DCC commands via snprintf(3). This may
+lead to OOB write access, because 'bptr' points somewhere in
+the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+size to avoid OOB access.
+Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault's avatarSamuel Thibault
+<samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index e8ed4ef..3a4a8ee 100644
+--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
+@@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 return 1;
+             }
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                 "DCC CHAT chat %lu %u%c\n",
+                                  (unsigned long)ntohl(so->so_faddr.s_addr),
+                                  ntohs(so->so_fport), 1);
+         } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
+@@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 return 1;
+             }
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len +=
+-                snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                         "DCC SEND %s %lu %u %u%c\n", buff,
+                          (unsigned long)ntohl(so->so_faddr.s_addr),
+                          ntohs(so->so_fport), n1, 1);
+         } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
+@@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 return 1;
+             }
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len +=
+-                snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                         "DCC MOVE %s %lu %u %u%c\n", buff,
+                          (unsigned long)ntohl(so->so_faddr.s_addr),
+                          ntohs(so->so_fport), n1, 1);
+         }
+-- 
+2.7.4

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index e6dbc6d05a..3ce14d9fa0 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -30,6 +30,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
30	file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \	30	file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \
31	file://CVE-2019-15890.patch \	31	file://CVE-2019-15890.patch \
32	file://CVE-2020-1711.patch \	32	file://CVE-2020-1711.patch \
		33	file://CVE-2020-7039-1.patch \
		34	file://CVE-2020-7039-2.patch \
		35	file://CVE-2020-7039-3.patch \
33	"	36	"
34	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	37	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
35		38


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch new file mode 100644 index 0000000000..df6bca6db6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
@@ -0,0 +1,44 @@
		1	From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Thu, 27 Feb 2020 12:07:35 +0800
		4	Subject: [PATCH] tcp_emu: Fix oob access
		5
		6	The main loop only checks for one available byte, while we sometimes
		7	need two bytes.
		8
		9	CVE: CVE-2020-7039
		10	Upstream-Status: Backport
		11	[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289]
		12
		13	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		14	---
		15	slirp/src/tcp_subr.c \| 6 ++++++
		16	1 file changed, 6 insertions(+)
		17
		18	diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
		19	index d6dd133..4bea2d4 100644
		20	--- a/slirp/src/tcp_subr.c
		21	+++ b/slirp/src/tcp_subr.c
		22	@@ -886,6 +886,8 @@ int tcp_emu(struct socket so, struct mbuf m)
		23	break;
		24
		25	case 5:
		26	+ if (bptr == m->m_data + m->m_len - 1)
		27	+ return 1; /* We need two bytes */
		28	/*
		29	* The difference between versions 1.0 and
		30	* 2.0 is here. For future versions of
		31	@@ -901,6 +903,10 @@ int tcp_emu(struct socket so, struct mbuf m)
		32	/* This is the field containing the port
		33	* number that RA-player is listening to.
		34	*/
		35	+
		36	+ if (bptr == m->m_data + m->m_len - 1)
		37	+ return 1; /* We need two bytes */
		38	+
		39	lport = (((uint8_t )bptr)[0] << 8) + ((uint8_t )bptr)[1];
		40	if (lport < 6970)
		41	lport += 256; /* don't know why */
		42	--
		43	2.7.4
		44


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch new file mode 100644 index 0000000000..4a00fa2afd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
@@ -0,0 +1,59 @@
		1	From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Thu, 27 Feb 2020 12:10:34 +0800
		4	Subject: [PATCH] slirp: use correct size while emulating commands
		5
		6	While emulating services in tcp_emu(), it uses 'mbuf' size
		7	'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
		8	size to avoid possible OOB access.
		9	Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
		10	Signed-off-by: Samuel Thibault's avatarSamuel Thibault
		11	<samuel.thibault@ens-lyon.org>
		12	Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
		13
		14	CVE: CVE-2020-7039
		15	Upstream-Status: Backport
		16	[https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80]
		17
		18	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		19	---
		20	slirp/src/tcp_subr.c \| 9 ++++-----
		21	1 file changed, 4 insertions(+), 5 deletions(-)
		22
		23	diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
		24	index 4bea2d4..e8ed4ef 100644
		25	--- a/slirp/src/tcp_subr.c
		26	+++ b/slirp/src/tcp_subr.c
		27	@@ -696,7 +696,7 @@ int tcp_emu(struct socket so, struct mbuf m)
		28	n4 = (laddr & 0xff);
		29
		30	m->m_len = bptr - m->m_data; /* Adjust length */
		31	- m->m_len += snprintf(bptr, m->m_size - m->m_len,
		32	+ m->m_len += snprintf(bptr, M_FREEROOM(m),
		33	"ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
		34	n5, n6, x == 7 ? buff : "");
		35	return 1;
		36	@@ -731,8 +731,7 @@ int tcp_emu(struct socket so, struct mbuf m)
		37	n4 = (laddr & 0xff);
		38
		39	m->m_len = bptr - m->m_data; /* Adjust length */
		40	- m->m_len +=
		41	- snprintf(bptr, m->m_size - m->m_len,
		42	+ m->m_len += snprintf(bptr, M_FREEROOM(m),
		43	"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
		44	n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
		45
		46	@@ -758,8 +757,8 @@ int tcp_emu(struct socket so, struct mbuf m)
		47	if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
		48	(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
		49	htons(lport), SS_FACCEPTONCE)) != NULL)
		50	- m->m_len =
		51	- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
		52	+ m->m_len = snprintf(m->m_data, M_ROOM(m),
		53	+ "%d", ntohs(so->so_fport)) + 1;
		54	return 1;
		55
		56	case EMU_IRC:
		57	--
		58	2.7.4
		59


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch new file mode 100644 index 0000000000..70ce480d80 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
@@ -0,0 +1,64 @@
		1	From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Thu, 27 Feb 2020 12:15:04 +0800
		4	Subject: [PATCH] slirp: use correct size while emulating IRC commands
		5
		6	While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
		7	'm->m_size' to write DCC commands via snprintf(3). This may
		8	lead to OOB write access, because 'bptr' points somewhere in
		9	the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
		10	size to avoid OOB access.
		11	Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
		12	Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
		13	Reviewed-by: Samuel Thibault's avatarSamuel Thibault
		14	<samuel.thibault@ens-lyon.org>
		15	Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
		16
		17	CVE: CVE-2020-7039
		18	Upstream-Status: Backport
		19	[https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9]
		20
		21	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		22	---
		23	slirp/src/tcp_subr.c \| 11 ++++++-----
		24	1 file changed, 6 insertions(+), 5 deletions(-)
		25
		26	diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
		27	index e8ed4ef..3a4a8ee 100644
		28	--- a/slirp/src/tcp_subr.c
		29	+++ b/slirp/src/tcp_subr.c
		30	@@ -777,7 +777,8 @@ int tcp_emu(struct socket so, struct mbuf m)
		31	return 1;
		32	}
		33	m->m_len = bptr - m->m_data; /* Adjust length */
		34	- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
		35	+ m->m_len += snprintf(bptr, M_FREEROOM(m),
		36	+ "DCC CHAT chat %lu %u%c\n",
		37	(unsigned long)ntohl(so->so_faddr.s_addr),
		38	ntohs(so->so_fport), 1);
		39	} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
		40	@@ -787,8 +788,8 @@ int tcp_emu(struct socket so, struct mbuf m)
		41	return 1;
		42	}
		43	m->m_len = bptr - m->m_data; /* Adjust length */
		44	- m->m_len +=
		45	- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
		46	+ m->m_len += snprintf(bptr, M_FREEROOM(m),
		47	+ "DCC SEND %s %lu %u %u%c\n", buff,
		48	(unsigned long)ntohl(so->so_faddr.s_addr),
		49	ntohs(so->so_fport), n1, 1);
		50	} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
		51	@@ -798,8 +799,8 @@ int tcp_emu(struct socket so, struct mbuf m)
		52	return 1;
		53	}
		54	m->m_len = bptr - m->m_data; /* Adjust length */
		55	- m->m_len +=
		56	- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
		57	+ m->m_len += snprintf(bptr, M_FREEROOM(m),
		58	+ "DCC MOVE %s %lu %u %u%c\n", buff,
		59	(unsigned long)ntohl(so->so_faddr.s_addr),
		60	ntohs(so->so_fport), n1, 1);
		61	}
		62	--
		63	2.7.4
		64