diff options
author | Kai Kang <kai.kang@windriver.com> | 2016-11-10 15:01:25 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-23 11:02:26 +0000 |
commit | 126783ca25a5ae9daf87ac563239fbff4696a682 (patch) | |
tree | bf68d2f168d9ca57bd4ad509cd616306eced71f7 /meta | |
parent | a3c2acee40c8875e311e03bff6906e7c93c491fc (diff) | |
download | openembedded-core-126783ca25a5ae9daf87ac563239fbff4696a682.tar.gz openembedded-core-126783ca25a5ae9daf87ac563239fbff4696a682.tar.bz2 openembedded-core-126783ca25a5ae9daf87ac563239fbff4696a682.zip |
qemu: fix CVE-2016-7909
Backport patch to fix CVE-2016-7909 of qemu.
Ref:
https://security-tracker.debian.org/tracker/CVE-2016-7909
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch | 42 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.7.0.bb | 1 |
2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch new file mode 100644 index 0000000000..e71bbf6205 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch @@ -0,0 +1,42 @@ +Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce] +CVE: CVE-2016-7909 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Fri, 30 Sep 2016 00:27:33 +0530 +Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length + +The AMD PC-Net II emulator has set of control and status(CSR) +registers. Of these, CSR76 and CSR78 hold receive and transmit +descriptor ring length respectively. This ring length could range +from 1 to 65535. Setting ring length to zero leads to an infinite +loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it. + +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/pcnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 198a01f..3078de8 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) + case 47: /* POLLINT */ + case 72: + case 74: ++ break; + case 76: /* RCVRL */ + case 78: /* XMTRL */ ++ val = (val > 0) ? val : 512; ++ break; + case 112: + if (CSR_STOP(s) || CSR_SPND(s)) + break; +-- +2.10.1 + diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb index a75bcdfa0b..cef181dcea 100644 --- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb @@ -12,6 +12,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \ file://0002-fix-CVE-2016-7423.patch \ file://0003-fix-CVE-2016-7908.patch \ + file://0004-fix-CVE-2016-7909.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |