From f2961d88af7fa7345f40b1dc3b0edc926c5a2304 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Wed, 29 May 2019 11:14:38 -0700
Subject: qemu: Several CVE fixes

Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:

These issues affect qemu < 3.1.0

Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364

(From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../qemu/qemu/CVE-2018-18849.patch                 | 86 ++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch

(limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch')

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch
new file mode 100644
index 0000000000..b632512e8b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch
@@ -0,0 +1,86 @@
+From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Sat, 27 Oct 2018 01:13:14 +0530
+Subject: [PATCH] lsi53c895a: check message length value is valid
+
+While writing a message in 'lsi_do_msgin', message length value
+in 'msg_len' could be invalid due to an invalid migration stream.
+Add an assertion to avoid an out of bounds access, and reject
+the incoming migration data if it contains an invalid message
+length.
+
+Discovered by Deja vu Security. Reported by Oracle.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20181026194314.18663-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6)
+*CVE-2018-18849
+*avoid context dep. on c921370b22c
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+Affects: < 3.1.0
+CVE: CVE-2018-18849
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/scsi/lsi53c895a.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 160657f..3758635 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s)
+ 
+ static void lsi_do_msgin(LSIState *s)
+ {
+-    int len;
++    uint8_t len;
+     DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len);
+     s->sfbr = s->msg[0];
+     len = s->msg_len;
++    assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
+     if (len > s->dbc)
+         len = s->dbc;
+     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
+@@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset)
+         break;
+     case 0x58: /* SBDL */
+         /* Some drivers peek at the data bus during the MSG IN phase.  */
+-        if ((s->sstat1 & PHASE_MASK) == PHASE_MI)
++        if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
++            assert(s->msg_len > 0);
+             return s->msg[0];
++        }
+         ret = 0;
+         break;
+     case 0x59: /* SBDL high */
+@@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque)
+     return 0;
+ }
+ 
++static int lsi_post_load(void *opaque, int version_id)
++{
++    LSIState *s = opaque;
++
++    if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
++        return -EINVAL;
++    }
++
++    return 0;
++}
++
+ static const VMStateDescription vmstate_lsi_scsi = {
+     .name = "lsiscsi",
+     .version_id = 0,
+     .minimum_version_id = 0,
+     .pre_save = lsi_pre_save,
++    .post_load = lsi_post_load,
+     .fields = (VMStateField[]) {
+         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
+ 
+-- 
+2.7.4
+
-- 
cgit v1.2.3-54-g00ecf