aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-09-19 20:01:16 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 23:21:43 +0100
commit2f3f09dfbff21fb74e50e4e3ce90c252d32ebf61 (patch)
tree29bae85a571eca7e5da994b8600271643f263c10
parent6d7c10eae8b23a71eee6d59baab42d98d8fb7ff8 (diff)
downloadopenembedded-core-2f3f09dfbff21fb74e50e4e3ce90c252d32ebf61.zip
openembedded-core-2f3f09dfbff21fb74e50e4e3ce90c252d32ebf61.tar.gz
openembedded-core-2f3f09dfbff21fb74e50e4e3ce90c252d32ebf61.tar.bz2
qemu: Secuirty fix for CVE-2016-5403
affects qemu < 2.7.0-rc0 Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch67
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.4.0.bb1
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
new file mode 100644
index 0000000..fe084f5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
@@ -0,0 +1,67 @@
+From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 19 Jul 2016 13:07:13 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits, causing unbounded memory allocation in QEMU.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size. This requires reusing
+vring descriptors in more than one request, which is not allowed by the
+VIRTIO 1.0 specification.
+
+In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
+says:
+
+ 1. The driver places the buffer into free descriptor(s) in the
+ descriptor table, chaining as necessary
+
+and
+
+ Note that the above code does not take precautions against the
+ available ring buffer wrapping around: this is not possible since the
+ ring buffer is the same size as the descriptor table, so step (1) will
+ prevent such a condition.
+
+This implies that placing more buffers into the virtqueue than the
+descriptor table size is not allowed.
+
+QEMU is missing the check to prevent this case. Processing a request
+allocates a VirtQueueElement leading to unbounded memory allocation
+controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits. This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
+Marvel Team, China.
+
+Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2106-5403
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: qemu-2.4.0/hw/virtio/virtio.c
+===================================================================
+--- qemu-2.4.0.orig/hw/virtio/virtio.c
++++ qemu-2.4.0/hw/virtio/virtio.c
+@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+
+ max = vq->vring.num;
+
++ if (vq->inuse >= vq->vring.num) {
++ error_report("Virtqueue size exceeded");
++ exit(1);
++ }
++
+ i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+ if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
+ vring_set_avail_event(vq, vq->last_avail_idx);
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
index c33eb66..ad5ca89 100644
--- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -29,6 +29,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://CVE-2016-6351_p1.patch \
file://CVE-2016-6351_p2.patch \
file://CVE-2016-4002.patch \
+ file://CVE-2016-5403.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"