diff options
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch')
-rw-r--r-- | external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch deleted file mode 100644 index d01e8744..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001 -From: Markus Armbruster <armbru@redhat.com> -Date: Tue, 9 Apr 2019 19:40:18 +0200 -Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the -computation of @dt_size overflows to a negative number, which then -gets converted to a very large size_t for g_malloc0() and -load_image_size(). In the (fortunately improbable) case g_malloc0() -succeeds and load_image_size() survives, we'd assign the negative -number to *sizep. What that would do to the callers I can't say, but -it's unlikely to be good. - -Fix by rejecting images whose size would overflow. - -Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com> -Signed-off-by: Markus Armbruster <armbru@redhat.com> -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Signed-off-by: Alistair Francis <alistair.francis@wdc.com> -Message-Id: <20190409174018.25798-1-armbru@redhat.com> - -Upstream-Status: Backport -CVE: CVE-2018-20815 -affects <= 3.0.1 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - device_tree.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/device_tree.c b/device_tree.c -index 296278e..f8b46b3 100644 ---- a/device_tree.c -+++ b/device_tree.c -@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep) - filename_path); - goto fail; - } -+ if (dt_size > INT_MAX / 2 - 10000) { -+ error_report("Device tree file '%s' is too large", filename_path); -+ goto fail; -+ } - - /* Expand to 2x size to give enough room for manipulation. */ - dt_size += 10000; --- -2.7.4 - |