diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch new file mode 100644 index 0000000000..56559c8388 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch @@ -0,0 +1,54 @@ +CVE: CVE-2018-20125 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 13 Dec 2018 01:00:36 +0530 +Subject: [PATCH] pvrdma: check number of pages when creating rings + +When creating CQ/QP rings, an object can have up to +PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter +to avoid excessive memory allocation or a null dereference. + +Reported-by: Li Qiang <liq3ea@163.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> +--- + hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index 3b94545761..f236ac4795 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring, + int rc = -EINVAL; + char ring_name[MAX_RING_NAME_SZ]; + ++ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { ++ pr_dbg("invalid nchunks: %d\n", nchunks); ++ return rc; ++ } ++ + pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); + dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { +@@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma, + char ring_name[MAX_RING_NAME_SZ]; + uint32_t wqe_sz; + ++ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES ++ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { ++ pr_dbg("invalid pages: %d, %d\n", spages, rpages); ++ return rc; ++ } ++ + pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); + dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { +-- +2.20.1 + |