diff options
| author |   Armin Kuster <akuster@mvista.com> | 2019-05-29 11:14:38 -0700 |
|---|---|---|
| committer |   Armin Kuster <akuster808@gmail.com> | 2019-06-01 08:53:19 -0700 |
| commit | e3dfe53a334cd952cc2194fd3baad6d082659b7e (patch) | |
| tree | 94d2d6c13929b7bc60c04fffabb5bcde1b23eaf6 /meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch | |
| parent | ac5dca7dc68519b36aa976dfd25d8efa76af74ec (diff) | |
| download | openembedded-core-contrib-e3dfe53a334cd952cc2194fd3baad6d082659b7e.tar.gz | |
qemu: Several CVE fixes
Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:
These issues affect qemu < 3.1.0
Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch new file mode 100644 index 0000000000..b632512e8b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch @@ -0,0 +1,86 @@ +From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Sat, 27 Oct 2018 01:13:14 +0530 +Subject: [PATCH] lsi53c895a: check message length value is valid + +While writing a message in 'lsi_do_msgin', message length value +in 'msg_len' could be invalid due to an invalid migration stream. +Add an assertion to avoid an out of bounds access, and reject +the incoming migration data if it contains an invalid message +length. + +Discovered by Deja vu Security. Reported by Oracle. + +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20181026194314.18663-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6) +*CVE-2018-18849 +*avoid context dep. on c921370b22c +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> + +Upstream-Status: Backport +Affects: < 3.1.0 +CVE: CVE-2018-18849 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 160657f..3758635 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s) + + static void lsi_do_msgin(LSIState *s) + { +- int len; ++ uint8_t len; + DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len); + s->sfbr = s->msg[0]; + len = s->msg_len; ++ assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); + if (len > s->dbc) + len = s->dbc; + pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); +@@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset) + break; + case 0x58: /* SBDL */ + /* Some drivers peek at the data bus during the MSG IN phase. */ +- if ((s->sstat1 & PHASE_MASK) == PHASE_MI) ++ if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { ++ assert(s->msg_len > 0); + return s->msg[0]; ++ } + ret = 0; + break; + case 0x59: /* SBDL high */ +@@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque) + return 0; + } + ++static int lsi_post_load(void *opaque, int version_id) ++{ ++ LSIState *s = opaque; ++ ++ if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static const VMStateDescription vmstate_lsi_scsi = { + .name = "lsiscsi", + .version_id = 0, + .minimum_version_id = 0, + .pre_save = lsi_pre_save, ++ .post_load = lsi_post_load, + .fields = (VMStateField[]) { + VMSTATE_PCI_DEVICE(parent_obj, LSIState), + +-- +2.7.4 + |