diff options
| author |   Sakib Sajal <sakib.sajal@windriver.com> | 2020-07-14 15:51:16 -0400 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-07-18 11:06:27 +0100 |
| commit | 3a95b5a67ce981b8949d9e5067762b7127d15353 (patch) | |
| tree | e5844335f688b0687ceba9a386938878e24a2ba2 /meta/recipes-devtools | |
| parent | 7934ed49179242f15b413c0275040a3bb6b68876 (diff) | |
| download | openembedded-core-contrib-3a95b5a67ce981b8949d9e5067762b7127d15353.tar.gz | |
qemu: fix CVE-2020-13362
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch | 55 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index d41cc8f200..98bdff7ac6 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -32,6 +32,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-13361.patch \ file://find_datadir.patch \ file://CVE-2020-10761.patch \ + file://CVE-2020-13362.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch new file mode 100644 index 0000000000..af8d4ba8f4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch @@ -0,0 +1,55 @@ +From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 14 May 2020 00:55:38 +0530 +Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check + index + +A guest user may set 'reply_queue_head' field of MegasasState to +a negative value. Later in 'megasas_lookup_frame' it is used to +index into s->frames[] array. Use unsigned type to avoid OOB +access issue. + +Also check that 'index' value stays within s->frames[] bounds +through the while() loop in 'megasas_lookup_frame' to avoid OOB +access. + +Reported-by: Ren Ding <rding@gatech.edu> +Reported-by: Hanqing Zhao <hanqing@gatech.edu> +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Acked-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661] +CVE: CVE-2020-13362 +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/scsi/megasas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index af18c88b65..6ce598cd69 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -112,7 +112,7 @@ typedef struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + int reply_queue_len; +- int reply_queue_head; ++ uint16_t reply_queue_head; + int reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; +@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, + + index = s->reply_queue_head; + +- while (num < s->fw_cmds) { ++ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { + if (s->frames[index].pa && s->frames[index].pa == frame) { + cmd = &s->frames[index]; + break; +-- +2.20.1 + |