From 2ef1650794724a6cd6b0a6ac44024bbc8ed824a6 Mon Sep 17 00:00:00 2001 From: Jagadeesh Krishnanjanappa Date: Wed, 22 Aug 2018 17:11:46 +0530 Subject: qemu: CVE-2018-7550 multiboot: bss_end_addr can be zero The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), section 3.1.3, allows for bss_end_addr to be zero. A zero bss_end_addr signifies there is no .bss section. Affects qemu < v2.12.0 (From OE-Core rev: 9f1d026168956e7bf45135577c123f7679a6ebba) Signed-off-by: Jagadeesh Krishnanjanappa Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../recipes-devtools/qemu/qemu/CVE-2018-7550.patch | 62 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.11.1.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch new file mode 100644 index 0000000000..9923d123a5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch @@ -0,0 +1,62 @@ +From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001 +From: Jack Schwartz +Date: Thu, 21 Dec 2017 09:25:15 -0800 +Subject: [PATCH] multiboot: bss_end_addr can be zero + +The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), +section 3.1.3, allows for bss_end_addr to be zero. + +A zero bss_end_addr signifies there is no .bss section. + +CVE: CVE-2018-7550 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8] + +Suggested-by: Daniel Kiper +Signed-off-by: Jack Schwartz +Reviewed-by: Daniel Kiper +Reviewed-by: Prasad J Pandit +Signed-off-by: Kevin Wolf +Signed-off-by: Jagadeesh Krishnanjanappa +--- + hw/i386/multiboot.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c +index 46d9c68bf5..bb8d8e4629 100644 +--- a/hw/i386/multiboot.c ++++ b/hw/i386/multiboot.c +@@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg, + mh_entry_addr = ldl_p(header+i+28); + + if (mh_load_end_addr) { +- if (mh_bss_end_addr < mh_load_addr) { +- fprintf(stderr, "invalid mh_bss_end_addr address\n"); +- exit(1); +- } +- mb_kernel_size = mh_bss_end_addr - mh_load_addr; +- + if (mh_load_end_addr < mh_load_addr) { + fprintf(stderr, "invalid mh_load_end_addr address\n"); + exit(1); +@@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg, + fprintf(stderr, "invalid kernel_file_size\n"); + exit(1); + } +- mb_kernel_size = kernel_file_size - mb_kernel_text_offset; +- mb_load_size = mb_kernel_size; ++ mb_load_size = kernel_file_size - mb_kernel_text_offset; ++ } ++ if (mh_bss_end_addr) { ++ if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { ++ fprintf(stderr, "invalid mh_bss_end_addr address\n"); ++ exit(1); ++ } ++ mb_kernel_size = mh_bss_end_addr - mh_load_addr; ++ } else { ++ mb_kernel_size = mb_load_size; + } + + /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE. +-- +2.13.3 + diff --git a/meta/recipes-devtools/qemu/qemu_2.11.1.bb b/meta/recipes-devtools/qemu/qemu_2.11.1.bb index 7de21ac0fa..db7ead7682 100644 --- a/meta/recipes-devtools/qemu/qemu_2.11.1.bb +++ b/meta/recipes-devtools/qemu/qemu_2.11.1.bb @@ -24,6 +24,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \ file://0012-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch \ file://0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch \ file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \ + file://CVE-2018-7550.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+\..*)\.tar" -- cgit v1.2.3-54-g00ecf