diff options
author | Armin Kuster <akuster@mvista.com> | 2019-07-01 17:30:37 -0700 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2019-07-04 12:29:54 -0700 |
commit | 5c45cd09fb29d4a1ebda6153a25f16e312049c44 (patch) | |
tree | a7c390b1d9ce12a6764c6bf8014964cb76ef6c27 | |
parent | 950a60c0e4183037a807031ddc9167b1a81a5348 (diff) | |
download | openembedded-core-contrib-5c45cd09fb29d4a1ebda6153a25f16e312049c44.tar.gz |
qemu: Security fixes CVE-2018-20815 CVE-2019-9824
Source: qemu.org
MR: 98623
Type: Security Fix
Disposition: Backport from qemu.org
ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37
Description:
Fixes both CVE-2018-20815 and CVE-2019-9824
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
4 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch new file mode 100644 index 0000000000..c3a5981488 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch @@ -0,0 +1,42 @@ +From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001 +From: Peter Maydell <peter.maydell@linaro.org> +Date: Fri, 14 Dec 2018 13:30:52 +0000 +Subject: [PATCH] device_tree.c: Don't use load_image() + +The load_image() function is deprecated, as it does not let the +caller specify how large the buffer to read the file into is. +Instead use load_image_size(). + +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Reviewed-by: Eric Blake <eblake@redhat.com> +Message-id: 20181130151712.2312-9-peter.maydell@linaro.org + +Upstream-Status: Backport +CVE: CVE-2018-20815 +affects <= 3.0.1 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + device_tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/device_tree.c b/device_tree.c +index 6d9c972..296278e 100644 +--- a/device_tree.c ++++ b/device_tree.c +@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep) + /* First allocate space in qemu for device tree */ + fdt = g_malloc0(dt_size); + +- dt_file_load_size = load_image(filename_path, fdt); ++ dt_file_load_size = load_image_size(filename_path, fdt, dt_size); + if (dt_file_load_size < 0) { + error_report("Unable to open device tree file '%s'", + filename_path); +-- +2.7.4 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch new file mode 100644 index 0000000000..d01e874473 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch @@ -0,0 +1,52 @@ +From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001 +From: Markus Armbruster <armbru@redhat.com> +Date: Tue, 9 Apr 2019 19:40:18 +0200 +Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the +computation of @dt_size overflows to a negative number, which then +gets converted to a very large size_t for g_malloc0() and +load_image_size(). In the (fortunately improbable) case g_malloc0() +succeeds and load_image_size() survives, we'd assign the negative +number to *sizep. What that would do to the callers I can't say, but +it's unlikely to be good. + +Fix by rejecting images whose size would overflow. + +Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com> +Signed-off-by: Markus Armbruster <armbru@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> +Message-Id: <20190409174018.25798-1-armbru@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2018-20815 +affects <= 3.0.1 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + device_tree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/device_tree.c b/device_tree.c +index 296278e..f8b46b3 100644 +--- a/device_tree.c ++++ b/device_tree.c +@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep) + filename_path); + goto fail; + } ++ if (dt_size > INT_MAX / 2 - 10000) { ++ error_report("Device tree file '%s' is too large", filename_path); ++ goto fail; ++ } + + /* Expand to 2x size to give enough room for manipulation. */ + dt_size += 10000; +-- +2.7.4 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch new file mode 100644 index 0000000000..7f8300672b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch @@ -0,0 +1,47 @@ +From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001 +From: William Bowling <will@wbowling.info> +Date: Fri, 1 Mar 2019 21:45:56 +0000 +Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +When emulating ident in tcp_emu, if the strchr checks passed but the +sscanf check failed, two uninitialized variables would be copied and +sent in the reply, so move this code inside the if(sscanf()) clause. + +Signed-off-by: William Bowling <will@wbowling.info> +Cc: qemu-stable@nongnu.org +Cc: secalert@redhat.com +Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info> +Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> + +Upstream-Status: Backport +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8 +CVE: CVE-2019-9824 +affects < 4.0.0 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: qemu-3.0.0/slirp/tcp_subr.c +=================================================================== +--- qemu-3.0.0.orig/slirp/tcp_subr.c ++++ qemu-3.0.0/slirp/tcp_subr.c +@@ -662,12 +662,12 @@ tcp_emu(struct socket *so, struct mbuf * + break; + } + } ++ so_rcv->sb_cc = snprintf(so_rcv->sb_data, ++ so_rcv->sb_datalen, ++ "%d,%d\r\n", n1, n2); ++ so_rcv->sb_rptr = so_rcv->sb_data; ++ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } +- so_rcv->sb_cc = snprintf(so_rcv->sb_data, +- so_rcv->sb_datalen, +- "%d,%d\r\n", n1, n2); +- so_rcv->sb_rptr = so_rcv->sb_data; +- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } + m_free(m); + return 0; diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index 63a6468acd..b591cc244b 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb @@ -32,6 +32,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2018-19364_p2.patch \ file://CVE-2018-19489.patch \ file://CVE-2019-12155.patch \ + file://CVE-2018-20815_p1.patch \ + file://CVE-2018-20815_p2.patch \ + file://CVE-2019-9824.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |