diff options
| author |   Sakib Sajal <sakib.sajal@windriver.com> | 2021-04-23 00:45:05 -0400 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-04-23 10:38:06 +0100 |
| commit | b7930ac72e8f52efb60ac5b55f92e19249e80d33 (patch) | |
| tree | 39049ad8cb7234c54b7d234121a71bf62fae0d7b | |
| parent | 850468c453f2e231a3a41093c650d2cac4b30c56 (diff) | |
| download | openembedded-core-contrib-b7930ac72e8f52efb60ac5b55f92e19249e80d33.tar.gz | |
qemu: fix CVE-2021-20257
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch | 55 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 177e453fff..5797bbecf2 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -53,6 +53,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3416_8.patch \ file://CVE-2021-3416_9.patch \ file://CVE-2021-3416_10.patch \ + file://CVE-2021-20257.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch new file mode 100644 index 0000000000..7175b24e99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch @@ -0,0 +1,55 @@ +From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 13:45:28 +0800 +Subject: [PATCH] e1000: fail early for evil descriptor + +During procss_tx_desc(), driver can try to chain data descriptor with +legacy descriptor, when will lead underflow for the following +calculation in process_tx_desc() for bytes: + + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +This will lead a infinite loop. So check and fail early if tp->size if +greater or equal to msh. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> +Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de> +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8] +CVE: CVE-2021-20257 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/e1000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index cf22c4f07..c3564c7ce 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + msh = tp->tso_props.hdr_len + tp->tso_props.mss; + do { + bytes = split_size; ++ if (tp->size >= msh) { ++ goto eop; ++ } + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + tp->size += split_size; + } + ++eop: + if (!(txd_lower & E1000_TXD_CMD_EOP)) + return; + if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { +-- +2.29.2 + |