diff options
author | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
---|---|---|
committer | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
commit | 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf (patch) | |
tree | cd70a267a5ef105ba32f200aa088e281fbd85747 /external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch | |
parent | 4204309872da5cb401cbb2729d9e2d4869a87f42 (diff) |
basesystem-jjsandbox/ToshikazuOhiwa/master-jj
recipes
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch')
-rw-r--r-- | external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch | 86 |
1 files changed, 0 insertions, 86 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch deleted file mode 100644 index b632512e..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch +++ /dev/null @@ -1,86 +0,0 @@ -From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Sat, 27 Oct 2018 01:13:14 +0530 -Subject: [PATCH] lsi53c895a: check message length value is valid - -While writing a message in 'lsi_do_msgin', message length value -in 'msg_len' could be invalid due to an invalid migration stream. -Add an assertion to avoid an out of bounds access, and reject -the incoming migration data if it contains an invalid message -length. - -Discovered by Deja vu Security. Reported by Oracle. - -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-Id: <20181026194314.18663-1-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6) -*CVE-2018-18849 -*avoid context dep. on c921370b22c -Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> - -Upstream-Status: Backport -Affects: < 3.1.0 -CVE: CVE-2018-18849 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c -index 160657f..3758635 100644 ---- a/hw/scsi/lsi53c895a.c -+++ b/hw/scsi/lsi53c895a.c -@@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s) - - static void lsi_do_msgin(LSIState *s) - { -- int len; -+ uint8_t len; - DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len); - s->sfbr = s->msg[0]; - len = s->msg_len; -+ assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); - if (len > s->dbc) - len = s->dbc; - pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); -@@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset) - break; - case 0x58: /* SBDL */ - /* Some drivers peek at the data bus during the MSG IN phase. */ -- if ((s->sstat1 & PHASE_MASK) == PHASE_MI) -+ if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { -+ assert(s->msg_len > 0); - return s->msg[0]; -+ } - ret = 0; - break; - case 0x59: /* SBDL high */ -@@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque) - return 0; - } - -+static int lsi_post_load(void *opaque, int version_id) -+{ -+ LSIState *s = opaque; -+ -+ if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { -+ return -EINVAL; -+ } -+ -+ return 0; -+} -+ - static const VMStateDescription vmstate_lsi_scsi = { - .name = "lsiscsi", - .version_id = 0, - .minimum_version_id = 0, - .pre_save = lsi_pre_save, -+ .post_load = lsi_post_load, - .fields = (VMStateField[]) { - VMSTATE_PCI_DEVICE(parent_obj, LSIState), - --- -2.7.4 - |