diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch deleted file mode 100644 index 1505c7eed0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 -From: Mauro Matteo Cascella <mcascell@redhat.com> -Date: Fri, 10 Jul 2020 11:19:41 +0200 -Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() - -A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It -occurs while sending an Ethernet frame due to missing break statements -and improper checking of the buffer size. - -Reported-by: Ziming Zhang <ezrakiez@gmail.com> -Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> -Reviewed-by: Peter Maydell <peter.maydell@linaro.org> -Signed-off-by: Jason Wang <jasowang@redhat.com> - -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555] -CVE: CVE-2020-15863 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> - ---- - hw/net/xgmac.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c -index 574dd47..5bf1b61 100644 ---- a/hw/net/xgmac.c -+++ b/hw/net/xgmac.c -@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s) - } - len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); - -+ /* -+ * FIXME: these cases of malformed tx descriptors (bad sizes) -+ * should probably be reported back to the guest somehow -+ * rather than simply silently stopping processing, but we -+ * don't know what the hardware does in this situation. -+ * This will only happen for buggy guests anyway. -+ */ - if ((bd.buffer1_size & 0xfff) > 2048) { - DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " - "xgmac buffer 1 len on send > 2048 (0x%x)\n", - __func__, bd.buffer1_size & 0xfff); -+ break; - } - if ((bd.buffer2_size & 0xfff) != 0) { - DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " - "xgmac buffer 2 len on send != 0 (0x%x)\n", - __func__, bd.buffer2_size & 0xfff); -+ break; - } -- if (len >= sizeof(frame)) { -+ if (frame_size + len >= sizeof(frame)) { - DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " -- "buffer\n" , __func__, len, sizeof(frame)); -+ "buffer\n" , __func__, frame_size + len, sizeof(frame)); - DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", - __func__, bd.buffer1_size, bd.buffer2_size); -+ break; - } - - cpu_physical_memory_read(bd.buffer1_addr, ptr, len); --- -1.8.3.1 - |