summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2019-03-15 04:01:19 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-03-19 15:28:52 +0000
commit2f7749c12f7394be81433577220688034eaafab8 (patch)
tree20316204ba0cf08cb1edaa17c908b07ecccd5c9b /meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
parenta9b2f3561ee0fbe9db08ebbba63e69699cdd049a (diff)
downloadpoky-2f7749c12f7394be81433577220688034eaafab8.tar.gz
poky-2f7749c12f7394be81433577220688034eaafab8.tar.bz2
poky-2f7749c12f7394be81433577220688034eaafab8.zip
qemu: backport patches to fix cves
CVE: CVE-2018-16872 CVE: CVE-2018-20124 CVE: CVE-2018-20125 CVE: CVE-2018-20126 CVE: CVE-2018-20191 CVE: CVE-2018-20216 Patches 0015-fix-CVE-2018-20124.patch and 0017-fix-CVE-2018-20126.patch are rebased on current source code. Others are not modified. (From OE-Core rev: 489ece1aa90d8f76b4c1f009d837f82e38e11ba9) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch')
-rw-r--r--meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch85
1 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
new file mode 100644
index 0000000000..c02bad3bb9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
@@ -0,0 +1,85 @@
+CVE: CVE-2018-20216
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 13 Dec 2018 01:00:39 +0530
+Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines
+
+pvrdma_idx_ring_has_[data/space] routines also return invalid
+index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
+return value from these routines to avoid plausible infinite loops.
+
+Reported-by: Li Qiang <liq3ea@163.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+---
+ hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
+ 1 file changed, 11 insertions(+), 18 deletions(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
+index 01247fc041..e8e5b502f6 100644
+--- a/hw/rdma/vmw/pvrdma_dev_ring.c
++++ b/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -73,23 +73,16 @@ out:
+
+ void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
+ {
++ int e;
+ unsigned int idx = 0, offset;
+
+- /*
+- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
+- ring->ring_state->cons_head);
+- */
+-
+- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
++ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
++ if (e <= 0) {
+ pr_dbg("No more data in ring\n");
+ return NULL;
+ }
+
+ offset = idx * ring->elem_sz;
+- /*
+- pr_dbg("idx=%d\n", idx);
+- pr_dbg("offset=%d\n", offset);
+- */
+ return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
+ }
+
+@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)
+
+ void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
+ {
+- unsigned int idx, offset, tail;
++ int idx;
++ unsigned int offset, tail;
+
+- /*
+- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
+- ring->ring_state->cons_head);
+- */
+-
+- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
++ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
++ if (idx <= 0) {
+ pr_dbg("CQ is full\n");
+ return NULL;
+ }
+
+ idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
+- /* TODO: tail == idx */
++ if (idx < 0 || tail != idx) {
++ pr_dbg("invalid idx\n");
++ return NULL;
++ }
+
+ offset = idx * ring->elem_sz;
+ return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
+--
+2.20.1
+