[OE-core] [PATCH 1/2] qemu: fix CVE-2017-16845

Hongxu Jia hongxu.jia at windriver.com
Thu Apr 26 01:29:00 UTC 2018 

On 2018年04月26日 04:10, Martin Jansa wrote:
> FWIW: in 
> http://git.openembedded.org/openembedded-core-contrib/log/?h=jansa/qemu 
> I have WIP qemu upgrade to 2.12.0 which includes this fix as well.
>

Got it, thanks

//Hongxu

> On Tue, Apr 24, 2018 at 9:37 AM, Hongxu Jia <hongxu.jia at windriver.com 
> <mailto:hongxu.jia at windriver.com>> wrote:
>
>     During Qemu guest migration, a destination process invokes ps2
>     post_load function. In that, if 'rptr' and 'count' values were
>     invalid, it could lead to OOB access or infinite loop issue.
>     Add check to avoid it.
>
>     Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com
>     <mailto:hongxu.jia at windriver.com>>
>     ---
>      ...ck-PS2Queue-pointers-in-post_load-routine.patch | 63
>     ++++++++++++++++++++++
>      meta/recipes-devtools/qemu/qemu_2.11.1.bb <http://qemu_2.11.1.bb>
>             |  1 +
>      2 files changed, 64 insertions(+)
>      create mode 100644
>     meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
>
>     diff --git
>     a/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
>     b/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
>     new file mode 100644
>     index 0000000..f8d7f66
>     --- /dev/null
>     +++
>     b/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
>     @@ -0,0 +1,63 @@
>     +From ee9a17d0e12143971a9676227cce953c0dbe52fb Mon Sep 17 00:00:00
>     2001
>     +From: Prasad J Pandit <pjp at fedoraproject.org
>     <mailto:pjp at fedoraproject.org>>
>     +Date: Thu, 16 Nov 2017 13:21:55 +0530
>     +Subject: [PATCH] ps2: check PS2Queue pointers in post_load routine
>     +
>     +During Qemu guest migration, a destination process invokes ps2
>     +post_load function. In that, if 'rptr' and 'count' values were
>     +invalid, it could lead to OOB access or infinite loop issue.
>     +Add check to avoid it.
>     +
>     +Reported-by: Cyrille Chatras <cyrille.chatras at orange.com
>     <mailto:cyrille.chatras at orange.com>>
>     +Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org
>     <mailto:pjp at fedoraproject.org>>
>     +Message-id: 20171116075155.22378-1-ppandit at redhat.com
>     <mailto:20171116075155.22378-1-ppandit at redhat.com>
>     +Signed-off-by: Gerd Hoffmann <kraxel at redhat.com
>     <mailto:kraxel at redhat.com>>
>     +
>     +CVE: CVE-2017-16845
>     +Upstream-Status: Backport
>     +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com
>     <mailto:hongxu.jia at windriver.com>>
>     +---
>     + hw/input/ps2.c | 21 +++++++++------------
>     + 1 file changed, 9 insertions(+), 12 deletions(-)
>     +
>     +diff --git a/hw/input/ps2.c b/hw/input/ps2.c
>     +index f388a23..de171a2 100644
>     +--- a/hw/input/ps2.c
>     ++++ b/hw/input/ps2.c
>     +@@ -1225,24 +1225,21 @@ static void ps2_common_reset(PS2State *s)
>     + static void ps2_common_post_load(PS2State *s)
>     + {
>     +     PS2Queue *q = &s->queue;
>     +-    int size;
>     +-    int i;
>     +-    int tmp_data[PS2_QUEUE_SIZE];
>     ++    uint8_t i, size;
>     ++    uint8_t tmp_data[PS2_QUEUE_SIZE];
>     +
>     +     /* set the useful data buffer queue size, < PS2_QUEUE_SIZE */
>     +-    size = q->count > PS2_QUEUE_SIZE ? 0 : q->count;
>     ++    size = (q->count < 0 || q->count > PS2_QUEUE_SIZE) ? 0 :
>     q->count;
>     +
>     +     /* move the queue elements to the start of data array */
>     +-    if (size > 0) {
>     +-        for (i = 0; i < size; i++) {
>     +-            /* move the queue elements to the temporary buffer */
>     +-            tmp_data[i] = q->data[q->rptr];
>     +-            if (++q->rptr == 256) {
>     +-                q->rptr = 0;
>     +-            }
>     ++    for (i = 0; i < size; i++) {
>     ++        if (q->rptr < 0 || q->rptr >= sizeof(q->data)) {
>     ++            q->rptr = 0;
>     +         }
>     +-        memcpy(q->data, tmp_data, size);
>     ++        tmp_data[i] = q->data[q->rptr++];
>     +     }
>     ++    memcpy(q->data, tmp_data, size);
>     ++
>     +     /* reset rptr/wptr/count */
>     +     q->rptr = 0;
>     +     q->wptr = size;
>     +--
>     +2.7.4
>     +
>     diff --git a/meta/recipes-devtools/qemu/qemu_2.11.1.bb
>     <http://qemu_2.11.1.bb>
>     b/meta/recipes-devtools/qemu/qemu_2.11.1.bb <http://qemu_2.11.1.bb>
>     index f4b7d69..ab82c5f 100644
>     --- a/meta/recipes-devtools/qemu/qemu_2.11.1.bb
>     <http://qemu_2.11.1.bb>
>     +++ b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
>     <http://qemu_2.11.1.bb>
>     @@ -22,6 +22,7 @@ SRC_URI =
>     "http://wiki.qemu-project.org/download/${BP}.tar.bz2
>     <http://wiki.qemu-project.org/download/$%7BBP%7D.tar.bz2> \
>                
>     file://linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
>                 file://memfd.patch \
>                
>     file://0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch
>     \
>     +         
>      file://check-PS2Queue-pointers-in-post_load-routine.patch \
>                 "
>      UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
>
>     -- 
>     2.7.4
>
>     -- 
>     _______________________________________________
>     Openembedded-core mailing list
>     Openembedded-core at lists.openembedded.org
>     <mailto:Openembedded-core at lists.openembedded.org>
>     http://lists.openembedded.org/mailman/listinfo/openembedded-core
>     <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180426/1d8fbf42/attachment-0002.html>

More information about the Openembedded-core mailing list