From 0bd4b0c7ede8a52559e4bf05085a3f0d46a0a280 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 18 Aug 2015 10:45:56 +0200 Subject: qemu: CVE-2014-7840 Fixes insufficient parameter validation during ram load Reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840 Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit; h=0be839a2701369f669532ea5884c15bead1c6e08 Signed-off-by: Sona Sarmadi Signed-off-by: Armin Kuster --- .../recipes-devtools/qemu/qemu/CVE-2014-7840.patch | 57 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch new file mode 100644 index 0000000000..4f992bae14 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch @@ -0,0 +1,57 @@ +From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Wed, 12 Nov 2014 11:44:39 +0200 +Subject: [PATCH] migration: fix parameter validation on ram load + +During migration, the values read from migration stream during ram load +are not validated. Especially offset in host_from_stream_offset() and +also the length of the writes in the callers of said function. + +To fix this, we need to make sure that the [offset, offset + length] +range fits into one of the allocated memory regions. + +Validating addr < len should be sufficient since data seems to always be +managed in TARGET_PAGE_SIZE chunks. + +Fixes: CVE-2014-7840 + +Upstream-Status: Backport + +Note: follow-up patches add extra checks on each block->host access. + +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Paolo Bonzini +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Amit Shah +Signed-off-by: Sona Sarmadi +--- + arch_init.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch_init.c b/arch_init.c +index 88a5ba0..593a990 100644 +--- a/arch_init.c ++++ b/arch_init.c +@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f, + uint8_t len; + + if (flags & RAM_SAVE_FLAG_CONTINUE) { +- if (!block) { ++ if (!block || block->length <= offset) { + error_report("Ack, bad migration stream!"); + return NULL; + } +@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f, + id[len] = 0; + + QTAILQ_FOREACH(block, &ram_list.blocks, next) { +- if (!strncmp(id, block->idstr, sizeof(id))) ++ if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) { + return memory_region_get_ram_ptr(block->mr) + offset; ++ } + } + + error_report("Can't find block %s!", id); +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb index d0ce74458b..5e5ecf00db 100644 --- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb @@ -8,6 +8,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ file://0001-Back-porting-security-fix-CVE-2014-5388.patch \ file://qemu-CVE-2015-3456.patch \ + file://CVE-2014-7840.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b" -- cgit 1.2.3-korg