summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2016-11-10 15:01:25 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-01-11 11:46:39 +0000
commit469267010b43a1c114e22009c9ac68f36c22f896 (patch)
treed57135c3230354b45e1822de71133ccfa2d591f3 /meta/recipes-devtools/qemu
parent2ece9c0e955ee99543968ddfd14da909e23ae611 (diff)
downloadopenembedded-core-469267010b43a1c114e22009c9ac68f36c22f896.tar.gz
openembedded-core-469267010b43a1c114e22009c9ac68f36c22f896.tar.bz2
openembedded-core-469267010b43a1c114e22009c9ac68f36c22f896.zip
qemu: fix CVE-2016-7909
Backport patch to fix CVE-2016-7909 of qemu. Ref: https://security-tracker.debian.org/tracker/CVE-2016-7909 (From OE-Core rev: 126783ca25a5ae9daf87ac563239fbff4696a682) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.7.0.bb1
2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
new file mode 100644
index 0000000000..e71bbf6205
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
@@ -0,0 +1,42 @@
+Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce]
+CVE: CVE-2016-7909
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 30 Sep 2016 00:27:33 +0530
+Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
+
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/pcnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 198a01f..3078de8 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
+ case 47: /* POLLINT */
+ case 72:
+ case 74:
++ break;
+ case 76: /* RCVRL */
+ case 78: /* XMTRL */
++ val = (val > 0) ? val : 512;
++ break;
+ case 112:
+ if (CSR_STOP(s) || CSR_SPND(s))
+ break;
+--
+2.10.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
index a75bcdfa0b..cef181dcea 100644
--- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
file://0002-fix-CVE-2016-7423.patch \
file://0003-fix-CVE-2016-7908.patch \
+ file://0004-fix-CVE-2016-7909.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"