diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-02-26 12:33:09 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-02-28 04:51:20 -1000 |
commit | 71600de72c602e6d1ae2c3b13af6c59440affdb6 (patch) | |
tree | aa4332235442c6f9d4ec255d99c240c315e99428 | |
parent | c8b30db7fcecc726fae87c8c49d4c01f0feeb2ab (diff) | |
download | openembedded-core-contrib-71600de72c602e6d1ae2c3b13af6c59440affdb6.tar.gz |
qemu: Fix for CVE-2024-24474
Upstream-Status: Backport
[https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch | 44 |
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c5fb9b1eab..18752af274 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -103,6 +103,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3638.patch \ file://CVE-2023-1544.patch \ file://CVE-2023-5088.patch \ + file://CVE-2024-24474.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch new file mode 100644 index 0000000000..e890fe56cf --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch @@ -0,0 +1,44 @@ +From 77668e4b9bca03a856c27ba899a2513ddf52bb52 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Wed, 13 Sep 2023 21:44:09 +0100 +Subject: [PATCH] esp: restrict non-DMA transfer length to that of available + data + +In the case where a SCSI layer transfer is incorrectly terminated, it is +possible for a TI command to cause a SCSI buffer overflow due to the +expected transfer data length being less than the available data in the +FIFO. When this occurs the unsigned async_len variable underflows and +becomes a large offset which writes past the end of the allocated SCSI +buffer. + +Restrict the non-DMA transfer length to be the smallest of the expected +transfer length and the available FIFO data to ensure that it is no longer +possible for the SCSI buffer overflow to occur. + +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810 +Reviewed-by: Thomas Huth <thuth@redhat.com> +Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52] +CVE: CVE-2024-24474 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/scsi/esp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 4218a6a96054..9b11d8c5738a 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s) + } + + if (to_device) { +- len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ); ++ len = MIN(s->async_len, ESP_FIFO_SZ); ++ len = MIN(len, fifo8_num_used(&s->fifo)); + esp_fifo_pop_buf(&s->fifo, s->async_buf, len); + s->async_buf += len; + s->async_len -= len; |