From 5f7cdf1e1212af5e3dcf36c8817c63cc853b1a91 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 29 Apr 2015 11:02:18 +0200 Subject: Qemu: CVE-2014-2894 Fixes an out of bounds memory access flaw in Qemu's IDE device model Reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2894 Signed-off-by: Sona Sarmadi Signed-off-by: Maxin B. John Signed-off-by: Richard Purdie --- .../qemu/files/ide-CVE-2014-2894.patch | 46 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_1.7.0.bb | 3 +- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch (limited to 'meta') diff --git a/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch b/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch new file mode 100644 index 0000000000..bd3566e282 --- /dev/null +++ b/meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch @@ -0,0 +1,46 @@ +From c5dae2f4c50ef848f224da718154af4438862cdb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Canet?= +Date: Sat, 12 Apr 2014 22:59:50 +0200 +Subject: [PATCH] ide: Correct improper smart self test counter reset in ide + core. + +The SMART self test counter was incorrectly being reset to zero, +not 1. This had the effect that on every 21st SMART EXECUTE OFFLINE: + * We would write off the beginning of a dynamically allocated buffer + * We forgot the SMART history +Fix this. + +Signed-off-by: Benoit Canet +Message-id: 1397336390-24664-1-git-send-email-benoit.canet@irqsave.net +Reviewed-by: Markus Armbruster +Cc: qemu-stable@nongnu.org +Acked-by: Kevin Wolf +[PMM: tweaked commit message as per suggestions from Markus] +Signed-off-by: Peter Maydell + +Fixes CVE-2014-2894 +Upstream-Status: Backport + +(cherry picked from commit 940973ae0b45c9b6817bab8e4cf4df99a9ef83d7) +Signed-off-by: Michael Roth +Signed-off-by: Sona Sarmadi +--- + hw/ide/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index e1f4c33..6007f6f 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1601,7 +1601,7 @@ static bool cmd_smart(IDEState *s, uint8_t cmd) + case 2: /* extended self test */ + s->smart_selftest_count++; + if (s->smart_selftest_count > 21) { +- s->smart_selftest_count = 0; ++ s->smart_selftest_count = 1; + } + n = 2 + (s->smart_selftest_count - 1) * 24; + s->smart_selftest_data[n] = s->sector; +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu_1.7.0.bb b/meta/recipes-devtools/qemu/qemu_1.7.0.bb index b776cccc02..a519645f56 100644 --- a/meta/recipes-devtools/qemu/qemu_1.7.0.bb +++ b/meta/recipes-devtools/qemu/qemu_1.7.0.bb @@ -5,7 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ SRC_URI += "file://fxrstorssefix.patch \ file://qemu-enlarge-env-entry-size.patch \ - file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch" + file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ + file://ide-CVE-2014-2894.patch" SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" SRC_URI[md5sum] = "32893941d40d052a5e649efcf06aca06" -- cgit 1.2.3-korg