diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch | 70 |
1 files changed, 0 insertions, 70 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch deleted file mode 100644 index 88bfd811ea..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Mon, 15 Oct 2018 16:38:08 +0800 -Subject: [PATCH] rtl8139: fix possible out of bound access - -In rtl8139_do_receive(), we try to assign size_ to size which converts -from size_t to integer. This will cause troubles when size_ is greater -INT_MAX, this will lead a negative value in size and it can then pass -the check of size < MIN_BUF_SIZE which may lead out of bound access of -for both buf and buf1. - -Fixing by converting the type of size to size_t. - -CC: address@hidden -Reported-by: Daniel Shapira <address@hidden> -Reviewed-by: Michael S. Tsirkin <address@hidden> -Signed-off-by: Jason Wang <address@hidden> - -Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html] - -CVE: CVE-2018-17962 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - hw/net/rtl8139.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 46daa16..2342a09 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t - RTL8139State *s = qemu_get_nic_opaque(nc); - PCIDevice *d = PCI_DEVICE(s); - /* size is the length of the buffer passed to the driver */ -- int size = size_; -+ size_t size = size_; - const uint8_t *dot1q_buf = NULL; - - uint32_t packet_header = 0; -@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t - static const uint8_t broadcast_macaddr[6] = - { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - -- DPRINTF(">>> received len=%d\n", size); -+ DPRINTF(">>> received len=%zu\n", size); - - /* test if board clock is stopped */ - if (!s->clock_enabled) -@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t - - if (size+4 > rx_space) - { -- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n", -+ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n", - descriptor, rx_space, size); - - s->IntrStatus |= RxOverflow; -@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t - if (avail != 0 && RX_ALIGN(size + 8) >= avail) - { - DPRINTF("rx overflow: rx buffer length %d head 0x%04x " -- "read 0x%04x === available 0x%04x need 0x%04x\n", -+ "read 0x%04x === available 0x%04x need 0x%04zx\n", - s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8); - - s->IntrStatus |= RxOverflow; --- -2.7.4 - |