diff options
| author |   Armin Kuster <akuster@mvista.com> | 2016-02-08 17:29:41 -0800 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-11 12:27:27 +0000 |
| commit | b1b2f629f8e2febd086eae8fabd24322333ea172 (patch) | |
| tree | 6b0eae5d79fde027cbbc5201f5dde8f14c0c54a3 /meta/recipes-devtools/qemu | |
| parent | 21c78275f4c805f63ee20ad7f8a18359094a8c09 (diff) | |
| download | openembedded-core-b1b2f629f8e2febd086eae8fabd24322333ea172.tar.gz | |
qemu: Security fix CVE-2016-1568
CVE-2016-1568 Qemu: ide: ahci use-after-free vulnerability in aio port commands
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-devtools/qemu')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch | 46 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch new file mode 100644 index 0000000000..56fd346ae6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch @@ -0,0 +1,46 @@ +From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Mon, 11 Jan 2016 14:10:42 -0500 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, AHCI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] + +Reported-by: Qinghao Tang <luodalongde@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: John Snow <jsnow@redhat.com> +Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com +Signed-off-by: John Snow <jsnow@redhat.com> + +Upstream-Status: Backport + +http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab + +CVE: CVE-2016-1568 +[Yocto # 9013] + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +Index: qemu-2.5.0/hw/ide/ahci.c +=================================================================== +--- qemu-2.5.0.orig/hw/ide/ahci.c ++++ qemu-2.5.0/hw/ide/ahci.c +@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *nc + ide_state->error = ABRT_ERR; + ide_state->status = READY_STAT | ERR_STAT; + ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); ++ ncq_tfs->used = 0; + } + + static void ncq_finish(NCQTransferState *ncq_tfs) diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb index 6ad7bbb68f..e51ec16882 100644 --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb @@ -7,6 +7,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://qemu-enlarge-env-entry-size.patch \ file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ file://no-valgrind.patch \ + file://CVE-2016-1568.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" |