[oe-commits] [openembedded-core] 04/12: qemu: fix CVE-2019-3812

Thu Mar 21 16:21:27 UTC 2019

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch master-next
in repository openembedded-core.

commit ad1d982a40d4b6b27fa93ac406b51ccdb1545254
Author: Ross Burton <ross.burton at intel.com>
AuthorDate: Thu Mar 21 12:31:29 2019 +0000

    qemu: fix CVE-2019-3812
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 meta/recipes-devtools/qemu/qemu.inc                |  1 +
 .../recipes-devtools/qemu/qemu/CVE-2019-3812.patch | 39 ++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 2babfe4..e503aa8 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,6 +29,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0017-fix-CVE-2018-20126.patch \
            file://0018-fix-CVE-2018-20191.patch \
            file://0019-fix-CVE-2018-20216.patch \
+           file://CVE-2019-3812.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
new file mode 100644
index 0000000..7de5882
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
@@ -0,0 +1,39 @@
+QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an
+out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc()
+function. A local attacker with permission to execute i2c commands could exploit
+this to read stack memory of the qemu process on the host.
+
+CVE: CVE-2019-3812
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton at intel.com>
+
+From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Tue, 8 Jan 2019 11:23:01 +0100
+Subject: [PATCH] i2c-ddc: fix oob read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Suggested-by: Michael Hanselmann <public at hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+Reviewed-by: Michael Hanselmann <public at hansmi.ch>
+Reviewed-by: Philippe Mathieu-Daudé <philmd at redhat.com>
+Message-id: 20190108102301.1957-1-kraxel at redhat.com
+---
+ hw/i2c/i2c-ddc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
+index be34fe072cf..0a0367ff38f 100644
+--- a/hw/i2c/i2c-ddc.c
++++ b/hw/i2c/i2c-ddc.c
+@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
+     I2CDDCState *s = I2CDDC(i2c);
+ 
+     int value;
+-    value = s->edid_blob[s->reg];
++    value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
+     s->reg++;
+     return value;
+ }

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
