From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- .../qemu/qemu/CVE-2020-7039-1.patch | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch') diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch new file mode 100644 index 00000000..df6bca6d --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch @@ -0,0 +1,44 @@ +From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 27 Feb 2020 12:07:35 +0800 +Subject: [PATCH] tcp_emu: Fix oob access + +The main loop only checks for one available byte, while we sometimes +need two bytes. + +CVE: CVE-2020-7039 +Upstream-Status: Backport +[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289] + +Signed-off-by: Changqing Li +--- + slirp/src/tcp_subr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index d6dd133..4bea2d4 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; + if (lport < 6970) + lport += 256; /* don't know why */ +-- +2.7.4 + -- cgit 1.2.3-korg