diff options
-rw-r--r-- | user/qemu/APKBUILD | 6 | ||||
-rw-r--r-- | user/qemu/CVE-2020-11102.patch | 144 |
2 files changed, 149 insertions, 1 deletions
diff --git a/user/qemu/APKBUILD b/user/qemu/APKBUILD index 579eed14f..bc3744541 100644 --- a/user/qemu/APKBUILD +++ b/user/qemu/APKBUILD @@ -6,7 +6,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=qemu pkgver=4.2.0 -pkgrel=0 +pkgrel=1 pkgdesc="Machine emulator and virtualisation software" url="https://www.qemu.org/" arch="all" @@ -160,6 +160,7 @@ source="https://download.qemu.org/$pkgname-$pkgver.tar.xz time64.patch MAP_SYNC-fix.patch CVE-2020-1711.patch + CVE-2020-11102.patch $pkgname-guest-agent.confd $pkgname-guest-agent.initd @@ -230,6 +231,8 @@ builddir="$srcdir/$pkgname-$pkgver" # - CVE-2020-1711 # - CVE-2020-7039 # - CVE-2020-8608 +# 4.2.0-r1: +# - CVE-2020-11102 prepare() { default_prepare # apply patches @@ -454,6 +457,7 @@ c6436b1cc986788baccd5fe0f9d23c7db9026f6b723260611cf894bd94ee830140a17ee5859efe0d 87f659800b78b31731ea1828a27a3762662ef124d10e942f6029b332d5e8cf4487f62a3d742ad59709c2eb9e3ae8af36fa849d6cbac89978a282d29786b9b41a time64.patch d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6ae706ee2aec9e005eade3c0fd4a202db60d11f436874a17d7 MAP_SYNC-fix.patch 0ea3745c45507c00c3c036241992d594b5f7e9aa1f0fa9b425dd222390066e1ea2d0aa4923bde0e7f27b7cc2f759a122ae4b600c2fa682a5aad509e7d03ccad9 CVE-2020-1711.patch +5d9e7e065c6716024eab4984331071f42dcd5363c5456023f81a3ef0329ae578348d0f875868f85c9e1fee5e435d86e2eb7e342a957c36cd099cb5d5d9f3a78d CVE-2020-11102.patch d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd 1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6 qemu-guest-agent.initd 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules diff --git a/user/qemu/CVE-2020-11102.patch b/user/qemu/CVE-2020-11102.patch new file mode 100644 index 000000000..c437a7d47 --- /dev/null +++ b/user/qemu/CVE-2020-11102.patch @@ -0,0 +1,144 @@ +From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 24 Mar 2020 22:57:22 +0530 +Subject: [PATCH 1/1] net: tulip: check frame size and r/w data length + +Tulip network driver while copying tx/rx buffers does not check +frame size against r/w data length. This may lead to OOB buffer +access. Add check to avoid it. + +Limit iterations over descriptors to avoid potential infinite +loop issue in tulip_xmit_list_update. + +Reported-by: Li Qiang <pangpei.lq@antfin.com> +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Reported-by: Jason Wang <jasowang@redhat.com> +Tested-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index cfac271..1295f51 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) + + trace_tulip_receive(buf, size); + +- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { ++ if (size < 14 || size > sizeof(s->rx_frame) - 4 ++ || s->rx_frame_len || tulip_rx_stopped(s)) { + return 0; + } + +@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, + return tulip_receive(qemu_get_nic_opaque(nc), buf, size); + } + +- + static NetClientInfo net_tulip_info = { + .type = NET_CLIENT_DRIVER_NIC, + .size = sizeof(NICState), +@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { + /* Internal or external Loopback */ + tulip_receive(s, s->tx_frame, s->tx_frame_len); +- } else { ++ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { + qemu_send_packet(qemu_get_queue(s->nic), + s->tx_frame, s->tx_frame_len); + } +@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + } + } + +-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) ++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) + { + int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; + int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; + ++ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len1) { + pci_dma_read(&s->dev, desc->buf_addr1, + s->tx_frame + s->tx_frame_len, len1); + s->tx_frame_len += len1; + } + ++ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len2) { + pci_dma_read(&s->dev, desc->buf_addr2, + s->tx_frame + s->tx_frame_len, len2); + s->tx_frame_len += len2; + } + desc->status = (len1 + len2) ? 0 : 0x7fffffff; ++ ++ return 0; + } + + static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) +@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) + + static void tulip_xmit_list_update(TULIPState *s) + { ++#define TULIP_DESC_MAX 128 ++ uint8_t i = 0; + struct tulip_descriptor desc; + + if (tulip_ts(s) != CSR5_TS_SUSPENDED) { + return; + } + +- for (;;) { ++ for (i = 0; i < TULIP_DESC_MAX; i++) { + tulip_desc_read(s, s->current_tx_desc, &desc); + tulip_dump_tx_descriptor(s, &desc); + +@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) + s->tx_frame_len = 0; + } + +- tulip_copy_tx_buffers(s, &desc); +- +- if (desc.control & TDES1_LS) { +- tulip_tx(s, &desc); ++ if (!tulip_copy_tx_buffers(s, &desc)) { ++ if (desc.control & TDES1_LS) { ++ tulip_tx(s, &desc); ++ } + } + } + tulip_desc_write(s, s->current_tx_desc, &desc); +-- +1.8.3.1 + |