[oe-commits] [openembedded-core] 19/20: qemu: Secuirty fix for CVE-2016-5403
git at git.openembedded.org
git at git.openembedded.org
Fri Sep 23 22:22:43 UTC 2016
rpurdie pushed a commit to branch jethro
in repository openembedded-core.
commit 2f3f09dfbff21fb74e50e4e3ce90c252d32ebf61
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Mon Sep 19 20:01:16 2016 -0700
qemu: Secuirty fix for CVE-2016-5403
affects qemu < 2.7.0-rc0
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../recipes-devtools/qemu/qemu/CVE-2016-5403.patch | 67 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.4.0.bb | 1 +
2 files changed, 68 insertions(+)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
new file mode 100644
index 0000000..fe084f5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
@@ -0,0 +1,67 @@
+From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha at redhat.com>
+Date: Tue, 19 Jul 2016 13:07:13 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits, causing unbounded memory allocation in QEMU.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size. This requires reusing
+vring descriptors in more than one request, which is not allowed by the
+VIRTIO 1.0 specification.
+
+In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
+says:
+
+ 1. The driver places the buffer into free descriptor(s) in the
+ descriptor table, chaining as necessary
+
+and
+
+ Note that the above code does not take precautions against the
+ available ring buffer wrapping around: this is not possible since the
+ ring buffer is the same size as the descriptor table, so step (1) will
+ prevent such a condition.
+
+This implies that placing more buffers into the virtqueue than the
+descriptor table size is not allowed.
+
+QEMU is missing the check to prevent this case. Processing a request
+allocates a VirtQueueElement leading to unbounded memory allocation
+controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits. This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
+Marvel Team, China.
+
+Reported-by: Zhenhao Hong <hongzhenhao at 360.cn>
+Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2106-5403
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: qemu-2.4.0/hw/virtio/virtio.c
+===================================================================
+--- qemu-2.4.0.orig/hw/virtio/virtio.c
++++ qemu-2.4.0/hw/virtio/virtio.c
+@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+
+ max = vq->vring.num;
+
++ if (vq->inuse >= vq->vring.num) {
++ error_report("Virtqueue size exceeded");
++ exit(1);
++ }
++
+ i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+ if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
+ vring_set_avail_event(vq, vq->last_avail_idx);
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
index c33eb66..ad5ca89 100644
--- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -29,6 +29,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://CVE-2016-6351_p1.patch \
file://CVE-2016-6351_p2.patch \
file://CVE-2016-4002.patch \
+ file://CVE-2016-5403.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list