From 1f4c303fd64a4bc05882de01676f241f0df6da78 Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Wed, 26 Oct 2016 17:54:50 +0800 Subject: qemu: fix CVE-2016-7423 and CVE-2016-7908 Backport patches to fix CVE-2016-7423 and CVE-2016-7908 of qemu. Signed-off-by: Kai Kang Signed-off-by: Ross Burton --- .../qemu/qemu/0002-fix-CVE-2016-7423.patch | 45 ++++++++++++++++ .../qemu/qemu/0003-fix-CVE-2016-7908.patch | 62 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.7.0.bb | 2 + 3 files changed, 109 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch (limited to 'meta') diff --git a/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch new file mode 100644 index 0000000000..fdf58a3d65 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch @@ -0,0 +1,45 @@ +Upstream-Status: Backport + +Backport patch to fix CVE-2016-7423 from: + +http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed + +CVE: CVE-2016-7423 + +Signed-off-by: Kai Kang +--- +From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 12 Sep 2016 18:14:11 +0530 +Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object + +When processing IO request in mptsas, it uses g_new to allocate +a 'req' object. If an error occurs before 'req->sreq' is +allocated, It could lead to an OOB write in mptsas_free_request +function. Use g_new0 to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +--- + hw/scsi/mptsas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 0e0a22f..eaae1bb 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, + goto bad; + } + +- req = g_new(MPTSASRequest, 1); ++ req = g_new0(MPTSASRequest, 1); + QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; +-- +2.9.3 + diff --git a/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch new file mode 100644 index 0000000000..05cc3d9d13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch @@ -0,0 +1,62 @@ +Upstream-Status: Backport + +Backport patch to fix CVE-2016-7908 from: + +http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8c + +CVE: CVE-2016-7908 + +Signed-off-by: Kai Kang +--- +From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 22 Sep 2016 16:02:37 +0530 +Subject: [PATCH] net: mcf: limit buffer descriptor count + +ColdFire Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set upper limit to number of buffer descriptors. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Paolo Bonzini +Signed-off-by: Jason Wang +--- + hw/net/mcf_fec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c +index 0ee8ad9..d31fea1 100644 +--- a/hw/net/mcf_fec.c ++++ b/hw/net/mcf_fec.c +@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) + #define DPRINTF(fmt, ...) do {} while(0) + #endif + ++#define FEC_MAX_DESC 1024 + #define FEC_MAX_FRAME_SIZE 2032 + + typedef struct { +@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + uint32_t addr; + mcf_fec_bd bd; + int frame_size; +- int len; ++ int len, descnt = 0; + uint8_t frame[FEC_MAX_FRAME_SIZE]; + uint8_t *ptr; + +@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + ptr = frame; + frame_size = 0; + addr = s->tx_descriptor; +- while (1) { ++ while (descnt++ < FEC_MAX_DESC) { + mcf_fec_read_bd(&bd, addr); + DPRINTF("tx_bd %x flags %04x len %d data %08x\n", + addr, bd.flags, bd.length, bd.data); +-- +2.9.3 + diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb index 90e4eecb10..a75bcdfa0b 100644 --- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb @@ -10,6 +10,8 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://pathlimit.patch \ file://qemu-2.5.0-cflags.patch \ file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \ + file://0002-fix-CVE-2016-7423.patch \ + file://0003-fix-CVE-2016-7908.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" -- cgit v1.2.3