From f5f4a08baeb4864984fcb9a837a3a8c51274df2b Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 3 Mar 2017 12:51:41 +0100 Subject: qemu: display: CVE-2016-9908 virtio-gpu: information leakage in virgl_cmd_get_capset References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9908 Signed-off-by: Sona Sarmadi Signed-off-by: Ross Burton --- .../recipes-devtools/qemu/qemu/CVE-2016-9908.patch | 44 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.8.0.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch (limited to 'meta/recipes-devtools/qemu') diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch new file mode 100644 index 0000000000..e0f7a1a3fd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch @@ -0,0 +1,44 @@ +From 7139ccbc907441337b4b59cde2c5b5a54cb5b2cc Mon Sep 17 00:00:00 2001 +From: Sona Sarmadi + +virtio-gpu: fix information leak in capset get dispatch + +In virgl_cmd_get_capset function, it uses g_malloc to allocate +a response struct to the guest. As the 'resp'struct hasn't been full +initialized it will lead the 'resp->padding' field to the guest. +Use g_malloc0 to avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com + +[Sona: backported from master to v2.8.0 and resolved conflict] + +Reference to upstream patch: +http://git.qemu-project.org/?p=qemu.git;a=commit;h=85d9d044471f93c48c5c396f7e217b4ef12f69f8 + +CVE: CVE-2016-9908 +Upstream-Status: Backport + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sona Sarmadi +--- + hw/display/virtio-gpu-3d.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index 23f39de..d98b140 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); +- resp = g_malloc(sizeof(*resp) + max_size); ++ resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; + virgl_renderer_fill_caps(gc.capset_id, +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu_2.8.0.bb b/meta/recipes-devtools/qemu/qemu_2.8.0.bb index 7bb4d06fb9..b8799d5cc2 100644 --- a/meta/recipes-devtools/qemu/qemu_2.8.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.8.0.bb @@ -28,6 +28,7 @@ SRC_URI += " \ file://0002-Introduce-condition-to-notify-waiters-of-completed-c.patch \ file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \ file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS.patch \ + file://CVE-2016-9908.patch \ " SRC_URI_append_class-native = " \ -- cgit v1.2.3