diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-03-03 12:51:41 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-03-08 11:13:47 +0000 |
commit | f5f4a08baeb4864984fcb9a837a3a8c51274df2b (patch) | |
tree | cc2dda5681c10dccbcf0019e11366b1635549061 | |
parent | 2431faeb88a008b501547808fb8632943b992dcb (diff) | |
download | openembedded-core-f5f4a08baeb4864984fcb9a837a3a8c51274df2b.tar.gz openembedded-core-f5f4a08baeb4864984fcb9a837a3a8c51274df2b.tar.bz2 openembedded-core-f5f4a08baeb4864984fcb9a837a3a8c51274df2b.zip |
qemu: display: CVE-2016-9908
virtio-gpu: information leakage in virgl_cmd_get_capset
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9908
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch | 44 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.8.0.bb | 1 |
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch new file mode 100644 index 0000000000..e0f7a1a3fd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch @@ -0,0 +1,44 @@ +From 7139ccbc907441337b4b59cde2c5b5a54cb5b2cc Mon Sep 17 00:00:00 2001 +From: Sona Sarmadi <sona.sarmadi@enea.com> + +virtio-gpu: fix information leak in capset get dispatch + +In virgl_cmd_get_capset function, it uses g_malloc to allocate +a response struct to the guest. As the 'resp'struct hasn't been full +initialized it will lead the 'resp->padding' field to the guest. +Use g_malloc0 to avoid this. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com + +[Sona: backported from master to v2.8.0 and resolved conflict] + +Reference to upstream patch: +http://git.qemu-project.org/?p=qemu.git;a=commit;h=85d9d044471f93c48c5c396f7e217b4ef12f69f8 + +CVE: CVE-2016-9908 +Upstream-Status: Backport + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + hw/display/virtio-gpu-3d.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index 23f39de..d98b140 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); +- resp = g_malloc(sizeof(*resp) + max_size); ++ resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; + virgl_renderer_fill_caps(gc.capset_id, +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu_2.8.0.bb b/meta/recipes-devtools/qemu/qemu_2.8.0.bb index 7bb4d06fb9..b8799d5cc2 100644 --- a/meta/recipes-devtools/qemu/qemu_2.8.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.8.0.bb @@ -28,6 +28,7 @@ SRC_URI += " \ file://0002-Introduce-condition-to-notify-waiters-of-completed-c.patch \ file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \ file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS.patch \ + file://CVE-2016-9908.patch \ " SRC_URI_append_class-native = " \ |