diff options
| author |   Ross Burton <ross.burton@intel.com> | 2019-03-21 12:31:29 +0000 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-24 16:59:43 +0000 |
| commit | 0135c0bf2a6cfd43c86d67ad0a0a2eaadc05cc47 (patch) | |
| tree | 79dee1476e3bee8f4306af5bf009b32de983b596 /meta | |
| parent | 3e06fc90f8c3e657db471e4d6eb20b0059d3f690 (diff) | |
| download | openembedded-core-0135c0bf2a6cfd43c86d67ad0a0a2eaadc05cc47.tar.gz | |
qemu: fix CVE-2019-3812
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch | 39 |
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 2babfe4c6f..e503aa866d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -29,6 +29,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0017-fix-CVE-2018-20126.patch \ file://0018-fix-CVE-2018-20191.patch \ file://0019-fix-CVE-2018-20216.patch \ + file://CVE-2019-3812.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch new file mode 100644 index 0000000000..7de5882b3e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch @@ -0,0 +1,39 @@ +QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an +out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() +function. A local attacker with permission to execute i2c commands could exploit +this to read stack memory of the qemu process on the host. + +CVE: CVE-2019-3812 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 8 Jan 2019 11:23:01 +0100 +Subject: [PATCH] i2c-ddc: fix oob read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Suggested-by: Michael Hanselmann <public@hansmi.ch> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Michael Hanselmann <public@hansmi.ch> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: 20190108102301.1957-1-kraxel@redhat.com +--- + hw/i2c/i2c-ddc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c +index be34fe072cf..0a0367ff38f 100644 +--- a/hw/i2c/i2c-ddc.c ++++ b/hw/i2c/i2c-ddc.c +@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) + I2CDDCState *s = I2CDDC(i2c); + + int value; +- value = s->edid_blob[s->reg]; ++ value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; + s->reg++; + return value; + } |