qemu: fix CVE-2017-16845

During Qemu guest migration, a destination process invokes ps2 post_load function. In that, if 'rptr' and 'count' values were invalid, it could lead to OOB access or infinite loop issue. Add check to avoid it. (From OE-Core rev: 0d8f68fe43b4da1a0d356fe6bedb52b8f2a02081) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2018-04-24 15:37:50 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-05-04 13:28:05 +0100
commit: 722fbf6c732632c541a436335b8aa2e5b8471fec (patch)
tree: a4f46c6e7cb11a0e5e0a13e9f759a93f4954512a /meta/recipes-devtools/qemu
parent: 0e2482864318f9aa9591e7acaa39188f4e1e9c2e (diff)
download: poky-722fbf6c732632c541a436335b8aa2e5b8471fec.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch b/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
new file mode 100644
index 0000000000..f8d7f66ace
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
@@ -0,0 +1,63 @@
+From ee9a17d0e12143971a9676227cce953c0dbe52fb Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 16 Nov 2017 13:21:55 +0530
+Subject: [PATCH] ps2: check PS2Queue pointers in post_load routine
+During Qemu guest migration, a destination process invokes ps2
+post_load function. In that, if 'rptr' and 'count' values were
+invalid, it could lead to OOB access or infinite loop issue.
+Add check to avoid it.
+Reported-by: Cyrille Chatras <cyrille.chatras@orange.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20171116075155.22378-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+CVE: CVE-2017-16845
+Upstream-Status: Backport
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ hw/input/ps2.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+diff --git a/hw/input/ps2.c b/hw/input/ps2.c
+index f388a23..de171a2 100644
+--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
+@@ -1225,24 +1225,21 @@ static void ps2_common_reset(PS2State *s)
+ static void ps2_common_post_load(PS2State *s)
+ {
+     PS2Queue *q = &s->queue;
+-    int size;
+-    int i;
+-    int tmp_data[PS2_QUEUE_SIZE];
+    uint8_t i, size;
+    uint8_t tmp_data[PS2_QUEUE_SIZE];
+ 
+     /* set the useful data buffer queue size, < PS2_QUEUE_SIZE */
+-    size = q->count > PS2_QUEUE_SIZE ? 0 : q->count;
+    size = (q->count < 0 || q->count > PS2_QUEUE_SIZE) ? 0 : q->count;
+ 
+     /* move the queue elements to the start of data array */
+-    if (size > 0) {
+-        for (i = 0; i < size; i++) {
+-            /* move the queue elements to the temporary buffer */
+-            tmp_data[i] = q->data[q->rptr];
+-            if (++q->rptr == 256) {
+-                q->rptr = 0;
+-            }
+    for (i = 0; i < size; i++) {
+        if (q->rptr < 0 || q->rptr >= sizeof(q->data)) {
+            q->rptr = 0;
+         }
+-        memcpy(q->data, tmp_data, size);
+        tmp_data[i] = q->data[q->rptr++];
+     }
+    memcpy(q->data, tmp_data, size);
+
+     /* reset rptr/wptr/count */
+     q->rptr = 0;
+     q->wptr = size;
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/qemu/qemu_2.11.1.bb b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
index f4b7d69fca..ab82c5fe56 100644
--- a/meta/recipes-devtools/qemu/qemu_2.11.1.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
           file://linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
           file://memfd.patch \
           file://0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch \
+           file://check-PS2Queue-pointers-in-post_load-routine.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
author	Hongxu Jia <hongxu.jia@windriver.com>	2018-04-24 15:37:50 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-05-04 13:28:05 +0100
commit	722fbf6c732632c541a436335b8aa2e5b8471fec (patch)
tree	a4f46c6e7cb11a0e5e0a13e9f759a93f4954512a /meta/recipes-devtools/qemu
parent	0e2482864318f9aa9591e7acaa39188f4e1e9c2e (diff)
download	poky-722fbf6c732632c541a436335b8aa2e5b8471fec.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch b/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch new file mode 100644 index 0000000000..f8d7f66ace --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
@@ -0,0 +1,63 @@
		1	From ee9a17d0e12143971a9676227cce953c0dbe52fb Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Thu, 16 Nov 2017 13:21:55 +0530
		4	Subject: [PATCH] ps2: check PS2Queue pointers in post_load routine
		5
		6	During Qemu guest migration, a destination process invokes ps2
		7	post_load function. In that, if 'rptr' and 'count' values were
		8	invalid, it could lead to OOB access or infinite loop issue.
		9	Add check to avoid it.
		10
		11	Reported-by: Cyrille Chatras <cyrille.chatras@orange.com>
		12	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		13	Message-id: 20171116075155.22378-1-ppandit@redhat.com
		14	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		15
		16	CVE: CVE-2017-16845
		17	Upstream-Status: Backport
		18	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		19	---
		20	hw/input/ps2.c \| 21 +++++++++------------
		21	1 file changed, 9 insertions(+), 12 deletions(-)
		22
		23	diff --git a/hw/input/ps2.c b/hw/input/ps2.c
		24	index f388a23..de171a2 100644
		25	--- a/hw/input/ps2.c
		26	+++ b/hw/input/ps2.c
		27	@@ -1225,24 +1225,21 @@ static void ps2_common_reset(PS2State *s)
		28	static void ps2_common_post_load(PS2State *s)
		29	{
		30	PS2Queue *q = &s->queue;
		31	- int size;
		32	- int i;
		33	- int tmp_data[PS2_QUEUE_SIZE];
		34	+ uint8_t i, size;
		35	+ uint8_t tmp_data[PS2_QUEUE_SIZE];
		36
		37	/* set the useful data buffer queue size, < PS2_QUEUE_SIZE */
		38	- size = q->count > PS2_QUEUE_SIZE ? 0 : q->count;
		39	+ size = (q->count < 0 \|\| q->count > PS2_QUEUE_SIZE) ? 0 : q->count;
		40
		41	/* move the queue elements to the start of data array */
		42	- if (size > 0) {
		43	- for (i = 0; i < size; i++) {
		44	- /* move the queue elements to the temporary buffer */
		45	- tmp_data[i] = q->data[q->rptr];
		46	- if (++q->rptr == 256) {
		47	- q->rptr = 0;
		48	- }
		49	+ for (i = 0; i < size; i++) {
		50	+ if (q->rptr < 0 \|\| q->rptr >= sizeof(q->data)) {
		51	+ q->rptr = 0;
		52	}
		53	- memcpy(q->data, tmp_data, size);
		54	+ tmp_data[i] = q->data[q->rptr++];
		55	}
		56	+ memcpy(q->data, tmp_data, size);
		57	+
		58	/* reset rptr/wptr/count */
		59	q->rptr = 0;
		60	q->wptr = size;
		61	--
		62	2.7.4
		63


diff --git a/meta/recipes-devtools/qemu/qemu_2.11.1.bb b/meta/recipes-devtools/qemu/qemu_2.11.1.bb index f4b7d69fca..ab82c5fe56 100644 --- a/meta/recipes-devtools/qemu/qemu_2.11.1.bb +++ b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
22	file://linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \	22	file://linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
23	file://memfd.patch \	23	file://memfd.patch \
24	file://0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch \	24	file://0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch \
		25	file://check-PS2Queue-pointers-in-post_load-routine.patch \
25	"	26	"
26	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"	27	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
27		28