qemu: fix CVE-2021-20257

author Sakib Sajal <sakib.sajal@windriver.com>

Fri, 23 Apr 2021 04:45:05 +0000 (00:45 -0400)

committer Anuj Mittal <anuj.mittal@intel.com>

Mon, 26 Apr 2021 00:31:02 +0000 (08:31 +0800)
author Sakib Sajal <sakib.sajal@windriver.com>
Fri, 23 Apr 2021 04:45:05 +0000 (00:45 -0400)
committer Anuj Mittal <anuj.mittal@intel.com>
Mon, 26 Apr 2021 00:31:02 +0000 (08:31 +0800)
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc

index 177e453fff215454ac8665c15d8b73662f47be38..5797bbecf2f8debfb31c06b4da0742dd362f7f3d 100644 (file)
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -53,6 +53,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
             file://CVE-2021-3416_8.patch \
             file://CVE-2021-3416_9.patch \
             file://CVE-2021-3416_10.patch \
+           file://CVE-2021-20257.patch \
             "
  UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
  
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch

new file mode 100644 (file)

index 0000000..7175b24
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
@@ -0,0 +1,55 @@
+From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:45:28 +0800
+Subject: [PATCH] e1000: fail early for evil descriptor
+
+During procss_tx_desc(), driver can try to chain data descriptor with
+legacy descriptor, when will lead underflow for the following
+calculation in process_tx_desc() for bytes:
+
+            if (tp->size + bytes > msh)
+                bytes = msh - tp->size;
+
+This will lead a infinite loop. So check and fail early if tp->size if
+greater or equal to msh.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
+CVE: CVE-2021-20257
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index cf22c4f07..c3564c7ce 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+         do {
+             bytes = split_size;
++            if (tp->size >= msh) {
++                goto eop;
++            }
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
+ 
+@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         tp->size += split_size;
+     }
+ 
++eop:
+     if (!(txd_lower & E1000_TXD_CMD_EOP))
+         return;
+     if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
+-- 
+2.29.2
+
author	Sakib Sajal <sakib.sajal@windriver.com>
	Fri, 23 Apr 2021 04:45:05 +0000 (00:45 -0400)
committer	Anuj Mittal <anuj.mittal@intel.com>
	Mon, 26 Apr 2021 00:31:02 +0000 (08:31 +0800)
meta/recipes-devtools/qemu/qemu.inc		patch \| blob \| history
meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch	[new file with mode: 0644]	patch \| blob