summaryrefslogtreecommitdiffstats
path: root/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch
diff options
context:
space:
mode:
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch')
-rw-r--r--external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch86
1 files changed, 0 insertions, 86 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch
deleted file mode 100644
index b632512e..00000000
--- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Sat, 27 Oct 2018 01:13:14 +0530
-Subject: [PATCH] lsi53c895a: check message length value is valid
-
-While writing a message in 'lsi_do_msgin', message length value
-in 'msg_len' could be invalid due to an invalid migration stream.
-Add an assertion to avoid an out of bounds access, and reject
-the incoming migration data if it contains an invalid message
-length.
-
-Discovered by Deja vu Security. Reported by Oracle.
-
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20181026194314.18663-1-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6)
-*CVE-2018-18849
-*avoid context dep. on c921370b22c
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
-Upstream-Status: Backport
-Affects: < 3.1.0
-CVE: CVE-2018-18849
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- hw/scsi/lsi53c895a.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 160657f..3758635 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s)
-
- static void lsi_do_msgin(LSIState *s)
- {
-- int len;
-+ uint8_t len;
- DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len);
- s->sfbr = s->msg[0];
- len = s->msg_len;
-+ assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
- if (len > s->dbc)
- len = s->dbc;
- pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
-@@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset)
- break;
- case 0x58: /* SBDL */
- /* Some drivers peek at the data bus during the MSG IN phase. */
-- if ((s->sstat1 & PHASE_MASK) == PHASE_MI)
-+ if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
-+ assert(s->msg_len > 0);
- return s->msg[0];
-+ }
- ret = 0;
- break;
- case 0x59: /* SBDL high */
-@@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque)
- return 0;
- }
-
-+static int lsi_post_load(void *opaque, int version_id)
-+{
-+ LSIState *s = opaque;
-+
-+ if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
-+ return -EINVAL;
-+ }
-+
-+ return 0;
-+}
-+
- static const VMStateDescription vmstate_lsi_scsi = {
- .name = "lsiscsi",
- .version_id = 0,
- .minimum_version_id = 0,
- .pre_save = lsi_pre_save,
-+ .post_load = lsi_post_load,
- .fields = (VMStateField[]) {
- VMSTATE_PCI_DEVICE(parent_obj, LSIState),
-
---
-2.7.4
-