From 55b7c62b76a3f1b3912074725e23b90023980e38 Mon Sep 17 00:00:00 2001 From: Sakib Sajal Date: Tue, 14 Jul 2020 15:51:16 -0400 Subject: qemu: fix CVE-2020-13362 (From OE-Core rev: 3a95b5a67ce981b8949d9e5067762b7127d15353) Signed-off-by: Sakib Sajal Signed-off-by: Richard Purdie --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2020-13362.patch | 55 ++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index d41cc8f200..98bdff7ac6 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -32,6 +32,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-13361.patch \ file://find_datadir.patch \ file://CVE-2020-10761.patch \ + file://CVE-2020-13362.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch new file mode 100644 index 0000000000..af8d4ba8f4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch @@ -0,0 +1,55 @@ +From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 14 May 2020 00:55:38 +0530 +Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check + index + +A guest user may set 'reply_queue_head' field of MegasasState to +a negative value. Later in 'megasas_lookup_frame' it is used to +index into s->frames[] array. Use unsigned type to avoid OOB +access issue. + +Also check that 'index' value stays within s->frames[] bounds +through the while() loop in 'megasas_lookup_frame' to avoid OOB +access. + +Reported-by: Ren Ding +Reported-by: Hanqing Zhao +Reported-by: Alexander Bulekov +Signed-off-by: Prasad J Pandit +Acked-by: Alexander Bulekov +Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661] +CVE: CVE-2020-13362 +Signed-off-by: Sakib Sajal +--- + hw/scsi/megasas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index af18c88b65..6ce598cd69 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -112,7 +112,7 @@ typedef struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + int reply_queue_len; +- int reply_queue_head; ++ uint16_t reply_queue_head; + int reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; +@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, + + index = s->reply_queue_head; + +- while (num < s->fw_cmds) { ++ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { + if (s->frames[index].pa && s->frames[index].pa == frame) { + cmd = &s->frames[index]; + break; +-- +2.20.1 + -- cgit v1.2.3-54-g00ecf