Re: [OE-core] [PATCH 1/2] qemu: fix CVE-2017-16845

Wed, 25 Apr 2018 13:35:52 -0700 

FWIW: in
http://git.openembedded.org/openembedded-core-contrib/log/?h=jansa/qemu I
have WIP qemu upgrade to 2.12.0 which includes this fix as well.

On Tue, Apr 24, 2018 at 9:37 AM, Hongxu Jia <hongxu....@windriver.com>
wrote:

> During Qemu guest migration, a destination process invokes ps2
> post_load function. In that, if 'rptr' and 'count' values were
> invalid, it could lead to OOB access or infinite loop issue.
> Add check to avoid it.
>
> Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
> ---
>  ...ck-PS2Queue-pointers-in-post_load-routine.patch | 63
> ++++++++++++++++++++++
>  meta/recipes-devtools/qemu/qemu_2.11.1.bb          |  1 +
>  2 files changed, 64 insertions(+)
>  create mode 100644 meta/recipes-devtools/qemu/
> qemu/check-PS2Queue-pointers-in-post_load-routine.patch
>
> diff --git 
> a/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
> b/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-
> in-post_load-routine.patch
> new file mode 100644
> index 0000000..f8d7f66
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-
> in-post_load-routine.patch
> @@ -0,0 +1,63 @@
> +From ee9a17d0e12143971a9676227cce953c0dbe52fb Mon Sep 17 00:00:00 2001
> +From: Prasad J Pandit <p...@fedoraproject.org>
> +Date: Thu, 16 Nov 2017 13:21:55 +0530
> +Subject: [PATCH] ps2: check PS2Queue pointers in post_load routine
> +
> +During Qemu guest migration, a destination process invokes ps2
> +post_load function. In that, if 'rptr' and 'count' values were
> +invalid, it could lead to OOB access or infinite loop issue.
> +Add check to avoid it.
> +
> +Reported-by: Cyrille Chatras <cyrille.chat...@orange.com>
> +Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> +Message-id: 20171116075155.22378-1-ppan...@redhat.com
> +Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
> +
> +CVE: CVE-2017-16845
> +Upstream-Status: Backport
> +Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
> +---
> + hw/input/ps2.c | 21 +++++++++------------
> + 1 file changed, 9 insertions(+), 12 deletions(-)
> +
> +diff --git a/hw/input/ps2.c b/hw/input/ps2.c
> +index f388a23..de171a2 100644
> +--- a/hw/input/ps2.c
> ++++ b/hw/input/ps2.c
> +@@ -1225,24 +1225,21 @@ static void ps2_common_reset(PS2State *s)
> + static void ps2_common_post_load(PS2State *s)
> + {
> +     PS2Queue *q = &s->queue;
> +-    int size;
> +-    int i;
> +-    int tmp_data[PS2_QUEUE_SIZE];
> ++    uint8_t i, size;
> ++    uint8_t tmp_data[PS2_QUEUE_SIZE];
> +
> +     /* set the useful data buffer queue size, < PS2_QUEUE_SIZE */
> +-    size = q->count > PS2_QUEUE_SIZE ? 0 : q->count;
> ++    size = (q->count < 0 || q->count > PS2_QUEUE_SIZE) ? 0 : q->count;
> +
> +     /* move the queue elements to the start of data array */
> +-    if (size > 0) {
> +-        for (i = 0; i < size; i++) {
> +-            /* move the queue elements to the temporary buffer */
> +-            tmp_data[i] = q->data[q->rptr];
> +-            if (++q->rptr == 256) {
> +-                q->rptr = 0;
> +-            }
> ++    for (i = 0; i < size; i++) {
> ++        if (q->rptr < 0 || q->rptr >= sizeof(q->data)) {
> ++            q->rptr = 0;
> +         }
> +-        memcpy(q->data, tmp_data, size);
> ++        tmp_data[i] = q->data[q->rptr++];
> +     }
> ++    memcpy(q->data, tmp_data, size);
> ++
> +     /* reset rptr/wptr/count */
> +     q->rptr = 0;
> +     q->wptr = size;
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-devtools/qemu/qemu_2.11.1.bb
> b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
> index f4b7d69..ab82c5f 100644
> --- a/meta/recipes-devtools/qemu/qemu_2.11.1.bb
> +++ b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
> @@ -22,6 +22,7 @@ SRC_URI = "http://wiki.qemu-project.org/
> download/${BP}.tar.bz2 \
>             file://linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
> \
>             file://memfd.patch \
>             
> file://0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch
> \
> +           file://check-PS2Queue-pointers-in-post_load-routine.patch \
>             "
>  UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
>
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to