qemu: CVE-2014-7840

Fixes insufficient parameter validation during ram load Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Tudor Florea <tudor.florea@enea.com> 2015-07-07 00:33:18 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-07 00:33:18 +0200
commit: 59469018432f7b2cf490a1cefe9855cfccdf0508 (patch)
tree: 7f586650ebb3746a4439d7016bdf988b34515266
parent: c190b396d5d2b0ce2caabf7366f3b08546187f11 (diff)
download: poky-59469018432f7b2cf490a1cefe9855cfccdf0508.tar.gz
2 files changed, 59 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
new file mode 100644
index 0000000000..5405e7078a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
@@ -0,0 +1,57 @@
+From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 12 Nov 2014 11:44:39 +0200
+Subject: [PATCH] migration: fix parameter validation on ram load
+During migration, the values read from migration stream during ram load
+are not validated. Especially offset in host_from_stream_offset() and
+also the length of the writes in the callers of said function.
+To fix this, we need to make sure that the [offset, offset + length]
+range fits into one of the allocated memory regions.
+Validating addr < len should be sufficient since data seems to always be
+managed in TARGET_PAGE_SIZE chunks.
+Fixes: CVE-2014-7840
+Upstream-Status: Backport
+Note: follow-up patches add extra checks on each block->host access.
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ arch_init.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/arch_init.c b/arch_init.c
+index 88a5ba0..593a990 100644
+--- a/arch_init.c
+++ b/arch_init.c
+@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f,
+     uint8_t len;
+ 
+     if (flags & RAM_SAVE_FLAG_CONTINUE) {
+-        if (!block) {
+        if (!block || block->length <= offset) {
+             fprintf(stderr, "Ack, bad migration stream!\n");
+             return NULL;
+         }
+@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f,
+     id[len] = 0;
+ 
+     QTAILQ_FOREACH(block, &ram_list.blocks, next) {
+-        if (!strncmp(id, block->idstr, sizeof(id)))
+        if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
+             return memory_region_get_ram_ptr(block->mr) + offset;
+        }
+     }
+ 
+     error_report("Can't find block %s!", id);
+-- 
+1.9.1
diff --git a/meta/recipes-devtools/qemu/qemu_1.7.2.bb b/meta/recipes-devtools/qemu/qemu_1.7.2.bb
index c3c6d3652d..3fa7f201b5 100644
--- a/meta/recipes-devtools/qemu/qemu_1.7.2.bb
+++ b/meta/recipes-devtools/qemu/qemu_1.7.2.bb
@@ -11,7 +11,8 @@ SRC_URI += "file://fxrstorssefix.patch \
            file://vmware-vga-CVE-2014-3689.patch \
            file://vmstate_xhci_event-CVE-2014-5263.patch \
            file://vnc-CVE-2014-7815.patch \
-            file://fdc-CVE-2015-3456.patch"
+            file://fdc-CVE-2015-3456.patch \
+            file://CVE-2014-7840.patch "
 SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2"
 SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43"
author	Tudor Florea <tudor.florea@enea.com>	2015-07-07 00:33:18 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-07 00:33:18 +0200
commit	59469018432f7b2cf490a1cefe9855cfccdf0508 (patch)
tree	7f586650ebb3746a4439d7016bdf988b34515266
parent	c190b396d5d2b0ce2caabf7366f3b08546187f11 (diff)
download	poky-59469018432f7b2cf490a1cefe9855cfccdf0508.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch new file mode 100644 index 0000000000..5405e7078a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
@@ -0,0 +1,57 @@
		1	From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001
		2	From: "Michael S. Tsirkin" <mst@redhat.com>
		3	Date: Wed, 12 Nov 2014 11:44:39 +0200
		4	Subject: [PATCH] migration: fix parameter validation on ram load
		5
		6	During migration, the values read from migration stream during ram load
		7	are not validated. Especially offset in host_from_stream_offset() and
		8	also the length of the writes in the callers of said function.
		9
		10	To fix this, we need to make sure that the [offset, offset + length]
		11	range fits into one of the allocated memory regions.
		12
		13	Validating addr < len should be sufficient since data seems to always be
		14	managed in TARGET_PAGE_SIZE chunks.
		15
		16	Fixes: CVE-2014-7840
		17
		18	Upstream-Status: Backport
		19
		20	Note: follow-up patches add extra checks on each block->host access.
		21
		22	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
		23	Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
		24	Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
		25	Signed-off-by: Amit Shah <amit.shah@redhat.com>
		26	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		27	---
		28	arch_init.c \| 5 +++--
		29	1 file changed, 3 insertions(+), 2 deletions(-)
		30
		31	diff --git a/arch_init.c b/arch_init.c
		32	index 88a5ba0..593a990 100644
		33	--- a/arch_init.c
		34	+++ b/arch_init.c
		35	@@ -1006,7 +1006,7 @@ static inline void host_from_stream_offset(QEMUFile f,
		36	uint8_t len;
		37
		38	if (flags & RAM_SAVE_FLAG_CONTINUE) {
		39	- if (!block) {
		40	+ if (!block \|\| block->length <= offset) {
		41	fprintf(stderr, "Ack, bad migration stream!\n");
		42	return NULL;
		43	}
		44	@@ -1019,8 +1019,9 @@ static inline void host_from_stream_offset(QEMUFile f,
		45	id[len] = 0;
		46
		47	QTAILQ_FOREACH(block, &ram_list.blocks, next) {
		48	- if (!strncmp(id, block->idstr, sizeof(id)))
		49	+ if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
		50	return memory_region_get_ram_ptr(block->mr) + offset;
		51	+ }
		52	}
		53
		54	error_report("Can't find block %s!", id);
		55	--
		56	1.9.1
		57


diff --git a/meta/recipes-devtools/qemu/qemu_1.7.2.bb b/meta/recipes-devtools/qemu/qemu_1.7.2.bb index c3c6d3652d..3fa7f201b5 100644 --- a/meta/recipes-devtools/qemu/qemu_1.7.2.bb +++ b/meta/recipes-devtools/qemu/qemu_1.7.2.bb
@@ -11,7 +11,8 @@ SRC_URI += "file://fxrstorssefix.patch \
11	file://vmware-vga-CVE-2014-3689.patch \	11	file://vmware-vga-CVE-2014-3689.patch \
12	file://vmstate_xhci_event-CVE-2014-5263.patch \	12	file://vmstate_xhci_event-CVE-2014-5263.patch \
13	file://vnc-CVE-2014-7815.patch \	13	file://vnc-CVE-2014-7815.patch \
14	file://fdc-CVE-2015-3456.patch"	14	file://fdc-CVE-2015-3456.patch \
		15	file://CVE-2014-7840.patch "
15		16
16	SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2"	17	SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2"
17	SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43"	18	SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43"