qemu: Security fix CVE-2015-8345

CVE-2015-8345 Qemu: net: eepro100: infinite loop in processing command block list (From OE-Core rev: 99ffcd66895e4ba064542a1797057e45ec4d3220) (From OE-Core rev: e51fc319b859f44be61822d93e0b72647a02f7c6) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-02-06 15:14:53 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-02-07 17:23:05 +0000
commit: 94c26caff15e8192b2fbdb1de855e27cfb69a724 (patch)
tree: 7678ddfafe01e5a78b93206c3fc22ba37ea4e8ea
parent: 05f4812d15d7816da7e50337792e98f01fbfd103 (diff)
download: poky-94c26caff15e8192b2fbdb1de855e27cfb69a724.tar.gz
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch
new file mode 100644
index 0000000000..310b458a0c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch
@@ -0,0 +1,73 @@
+From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001
+From: Stefan Weil <sw@weilnetz.de>
+Date: Fri, 20 Nov 2015 08:42:33 +0100
+Subject: [PATCH] eepro100: Prevent two endless loops
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
+shows an example how an endless loop in function action_command can
+be achieved.
+During my code review, I noticed a 2nd case which can result in an
+endless loop.
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Upstream-Status: Backport
+http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24
+CVE: CVE-2015-8345
+[Yocto # 9013]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/net/eepro100.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index 60333b7..685a478 100644
+--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
+@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
+ #if 0
+         uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
+ #endif
+        if (tx_buffer_size == 0) {
+            /* Prevent an endless loop. */
+            logout("loop in %s:%u\n", __FILE__, __LINE__);
+            break;
+        }
+         tbd_address += 8;
+         TRACE(RXTX, logout
+             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
+@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s)
+ 
+ static void action_command(EEPRO100State *s)
+ {
+    /* The loop below won't stop if it gets special handcrafted data.
+       Therefore we limit the number of iterations. */
+    unsigned max_loop_count = 16;
+
+     for (;;) {
+         bool bit_el;
+         bool bit_s;
+@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s)
+ #if 0
+         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
+ #endif
+
+        if (max_loop_count-- == 0) {
+            /* Prevent an endless loop. */
+            logout("loop in %s:%u\n", __FILE__, __LINE__);
+            break;
+        }
+
+         s->cu_offset = s->tx.link;
+         TRACE(OTHER,
+               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
+-- 
+2.3.5
diff --git a/meta/recipes-devtools/qemu/qemu_2.2.0.bb b/meta/recipes-devtools/qemu/qemu_2.2.0.bb
index 950917e66a..72fda62264 100644
--- a/meta/recipes-devtools/qemu/qemu_2.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.2.0.bb
@@ -23,6 +23,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://CVE-2015-8504.patch \
            file://CVE-2015-7504.patch \
            file://CVE-2015-7512.patch \
+            file://CVE-2015-8345.patch \
           "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8"
author	Armin Kuster <akuster@mvista.com>	2016-02-06 15:14:53 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-02-07 17:23:05 +0000
commit	94c26caff15e8192b2fbdb1de855e27cfb69a724 (patch)
tree	7678ddfafe01e5a78b93206c3fc22ba37ea4e8ea
parent	05f4812d15d7816da7e50337792e98f01fbfd103 (diff)
download	poky-94c26caff15e8192b2fbdb1de855e27cfb69a724.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch new file mode 100644 index 0000000000..310b458a0c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch
@@ -0,0 +1,73 @@
		1	From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001
		2	From: Stefan Weil <sw@weilnetz.de>
		3	Date: Fri, 20 Nov 2015 08:42:33 +0100
		4	Subject: [PATCH] eepro100: Prevent two endless loops
		5
		6	http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
		7	shows an example how an endless loop in function action_command can
		8	be achieved.
		9
		10	During my code review, I noticed a 2nd case which can result in an
		11	endless loop.
		12
		13	Reported-by: Qinghao Tang <luodalongde@gmail.com>
		14	Signed-off-by: Stefan Weil <sw@weilnetz.de>
		15	Signed-off-by: Jason Wang <jasowang@redhat.com>
		16
		17	Upstream-Status: Backport
		18
		19	http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24
		20
		21	CVE: CVE-2015-8345
		22	[Yocto # 9013]
		23
		24	Signed-off-by: Armin Kuster <akuster@mvista.com>
		25
		26	---
		27	hw/net/eepro100.c \| 16 ++++++++++++++++
		28	1 file changed, 16 insertions(+)
		29
		30	diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
		31	index 60333b7..685a478 100644
		32	--- a/hw/net/eepro100.c
		33	+++ b/hw/net/eepro100.c
		34	@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
		35	#if 0
		36	uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
		37	#endif
		38	+ if (tx_buffer_size == 0) {
		39	+ /* Prevent an endless loop. */
		40	+ logout("loop in %s:%u\n", __FILE__, __LINE__);
		41	+ break;
		42	+ }
		43	tbd_address += 8;
		44	TRACE(RXTX, logout
		45	("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
		46	@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s)
		47
		48	static void action_command(EEPRO100State *s)
		49	{
		50	+ /* The loop below won't stop if it gets special handcrafted data.
		51	+ Therefore we limit the number of iterations. */
		52	+ unsigned max_loop_count = 16;
		53	+
		54	for (;;) {
		55	bool bit_el;
		56	bool bit_s;
		57	@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s)
		58	#if 0
		59	bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
		60	#endif
		61	+
		62	+ if (max_loop_count-- == 0) {
		63	+ /* Prevent an endless loop. */
		64	+ logout("loop in %s:%u\n", __FILE__, __LINE__);
		65	+ break;
		66	+ }
		67	+
		68	s->cu_offset = s->tx.link;
		69	TRACE(OTHER,
		70	logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
		71	--
		72	2.3.5
		73


diff --git a/meta/recipes-devtools/qemu/qemu_2.2.0.bb b/meta/recipes-devtools/qemu/qemu_2.2.0.bb index 950917e66a..72fda62264 100644 --- a/meta/recipes-devtools/qemu/qemu_2.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.2.0.bb
@@ -23,6 +23,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
23	file://CVE-2015-8504.patch \	23	file://CVE-2015-8504.patch \
24	file://CVE-2015-7504.patch \	24	file://CVE-2015-7504.patch \
25	file://CVE-2015-7512.patch \	25	file://CVE-2015-7512.patch \
		26	file://CVE-2015-8345.patch \
26	"	27	"
27	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	28	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
28	SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8"	29	SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8"