diff options
| author | Li Wang <li.wang@windriver.com> | 2020-12-01 02:16:54 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-12-18 23:01:48 +0000 |
| commit | 6006b3514fb750d744ecb7e0ee2944cb5855fd9b (patch) | |
| tree | 86b3435630ad7853aac45fbd9a1e65ee4cf00294 | |
| parent | e6cd9ba1a895cb2e50fda2dd6f06bb974c84618b (diff) | |
| download | poky-6006b3514fb750d744ecb7e0ee2944cb5855fd9b.tar.gz | |
qemu: CVE-2020-29129 CVE-2020-29130
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-29129
https://nvd.nist.gov/vuln/detail/CVE-2020-29130
backport patch from:
https://git.qemu.org/?p=libslirp.git;a=commit;h=2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f
(From OE-Core rev: 0a9a9a4d524c5b932cc24f51994368e07dd2e81f)
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5eda809a41732dfa4988799360be3d1280c1209)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch | 64 |
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 11be545cb5..bbe2a39755 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 33 | file://usb-fix-setup_len-init.patch \ | 33 | file://usb-fix-setup_len-init.patch \ |
| 34 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ | 34 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ |
| 35 | file://CVE-2020-24352.patch \ | 35 | file://CVE-2020-24352.patch \ |
| 36 | file://CVE-2020-29129-CVE-2020-29130.patch \ | ||
| 36 | " | 37 | " |
| 37 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 38 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 38 | 39 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch new file mode 100644 index 0000000000..e5829f6dad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch | |||
| @@ -0,0 +1,64 @@ | |||
| 1 | From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 3 | Date: Thu, 26 Nov 2020 19:27:06 +0530 | ||
| 4 | Subject: [PATCH] slirp: check pkt_len before reading protocol header | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=utf8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' | ||
| 10 | routines, ensure that pkt_len is large enough to accommodate the | ||
| 11 | respective protocol headers, lest it should do an OOB access. | ||
| 12 | Add check to avoid it. | ||
| 13 | |||
| 14 | CVE-2020-29129 CVE-2020-29130 | ||
| 15 | QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets | ||
| 16 | -> https://www.openwall.com/lists/oss-security/2020/11/27/1 | ||
| 17 | |||
| 18 | Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> | ||
| 19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 20 | Message-Id: <20201126135706.273950-1-ppandit@redhat.com> | ||
| 21 | Reviewed-by: Marc-Andrà Lureau <marcandre.lureau@redhat.com> | ||
| 22 | |||
| 23 | Upstream-Status: Backport | ||
| 24 | CVE: CVE-2020-29129 CVE-2020-29130 | ||
| 25 | [https://git.qemu.org/?p=libslirp.git;a=commit;h=2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f] | ||
| 26 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
| 27 | --- | ||
| 28 | slirp/src/ncsi.c | 4 ++++ | ||
| 29 | slirp/src/slirp.c | 4 ++++ | ||
| 30 | 2 files changed, 8 insertions(+) | ||
| 31 | |||
| 32 | diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c | ||
| 33 | index 3c1dfef..75dcc08 100644 | ||
| 34 | --- a/slirp/src/ncsi.c | ||
| 35 | +++ b/slirp/src/ncsi.c | ||
| 36 | @@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) | ||
| 37 | uint32_t checksum; | ||
| 38 | uint32_t *pchecksum; | ||
| 39 | |||
| 40 | + if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) { | ||
| 41 | + return; /* packet too short */ | ||
| 42 | + } | ||
| 43 | + | ||
| 44 | memset(ncsi_reply, 0, sizeof(ncsi_reply)); | ||
| 45 | |||
| 46 | memset(reh->h_dest, 0xff, ETH_ALEN); | ||
| 47 | diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c | ||
| 48 | index dba7c98..9be58e2 100644 | ||
| 49 | --- a/slirp/src/slirp.c | ||
| 50 | +++ b/slirp/src/slirp.c | ||
| 51 | @@ -756,6 +756,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) | ||
| 52 | return; | ||
| 53 | } | ||
| 54 | |||
| 55 | + if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) { | ||
| 56 | + return; /* packet too short */ | ||
| 57 | + } | ||
| 58 | + | ||
| 59 | ar_op = ntohs(ah->ar_op); | ||
| 60 | switch (ar_op) { | ||
| 61 | case ARPOP_REQUEST: | ||
| 62 | -- | ||
| 63 | 2.17.1 | ||
| 64 | |||
