1 files changed, 54 insertions, 0 deletions

diff --git a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
new file mode 100644
index 0000000000..56559c8388
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
@@ -0,0 +1,54 @@
+CVE: CVE-2018-20125
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 13 Dec 2018 01:00:36 +0530
+Subject: [PATCH] pvrdma: check number of pages when creating rings
+
+When creating CQ/QP rings, an object can have up to
+PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
+to avoid excessive memory allocation or a null dereference.
+
+Reported-by: Li Qiang <liq3ea@163.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index 3b94545761..f236ac4795 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
+     int rc = -EINVAL;
+     char ring_name[MAX_RING_NAME_SZ];
+ 
++    if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
++        pr_dbg("invalid nchunks: %d\n", nchunks);
++        return rc;
++    }
++
+     pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
+     dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
+     if (!dir) {
+@@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
+     char ring_name[MAX_RING_NAME_SZ];
+     uint32_t wqe_sz;
+ 
++    if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
++        || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
++        pr_dbg("invalid pages: %d, %d\n", spages, rpages);
++        return rc;
++    }
++
+     pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
+     dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
+     if (!dir) {
+-- 
+2.20.1
+