diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2019-07-18 10:16:03 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-18 23:34:41 +0100 |
commit | a0236a8f682ab0e897cd99555b9225bae4fb04ab (patch) | |
tree | 2c35f695d32370b17f47b86de629852f305171e8 | |
parent | cef180de3684491f1ac4180ddbcc102121222181 (diff) | |
download | openembedded-core-a0236a8f682ab0e897cd99555b9225bae4fb04ab.tar.gz |
qemu: fix CVE-2019-12155
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch | 35 |
2 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index dfe17eed8b..7f0b3a7a73 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -24,6 +24,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ file://0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ file://0013-target-arm-Fix-vector-operation-segfault.patch \ + file://CVE-2019-12155.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch new file mode 100644 index 0000000000..c49a5e9a2a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch @@ -0,0 +1,35 @@ +From d52680fc932efb8a2f334cc6993e705ed1e31e99 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 25 Apr 2019 12:05:34 +0530 +Subject: [PATCH] qxl: check release info object + +When releasing spice resources in release_resource() routine, +if release info object 'ext.info' is null, it leads to null +pointer dereference. Add check to avoid it. + +Reported-by: Bugs SysSec <bugs-syssec@rub.de> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20190425063534.32747-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2019-12155 +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + hw/display/qxl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index c8ce5781e03..632923add23 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin, + QXLReleaseRing *ring; + uint64_t *item, id; + ++ if (!ext.info) { ++ return; ++ } + if (ext.group_id == MEMSLOT_GROUP_HOST) { + /* host group -> vga mode update request */ + QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id); |