[OE-core] [PATCH 0/1] Backport patches to fix qemu cves
kai.kang at windriver.com
kai.kang at windriver.com
Fri Mar 15 08:01:18 UTC 2019
From: Kai Kang <kai.kang at windriver.com>
Kai Kang (1):
qemu: backport patches to fix cves
meta/recipes-devtools/qemu/qemu.inc | 6 +
.../qemu/qemu/0014-fix-CVE-2018-16872.patch | 85 +++++++++++++
.../qemu/qemu/0015-fix-CVE-2018-20124.patch | 60 ++++++++++
.../qemu/qemu/0016-fix-CVE-2018-20125.patch | 54 +++++++++
.../qemu/qemu/0017-fix-CVE-2018-20126.patch | 113 ++++++++++++++++++
.../qemu/qemu/0018-fix-CVE-2018-20191.patch | 47 ++++++++
.../qemu/qemu/0019-fix-CVE-2018-20216.patch | 85 +++++++++++++
7 files changed, 450 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
Following are the differences of 0015-fix-CVE-2018-20124.patch and
0017-fix-CVE-2018-20126.patch compare to the original patches:
diff --git a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
index 48b2aa6560..ad846958a7 100644
--- a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
+++ b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
@@ -26,32 +26,32 @@ Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum at gmail.com>
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
-index ae1e4dcb29..bd4710d16f 100644
+index d7a4bbd9..7f8028f8 100644
--- a/hw/rdma/rdma_backend.c
+++ b/hw/rdma/rdma_backend.c
-@@ -476,9 +476,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
+@@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
}
pr_dbg("num_sge=%d\n", num_sge);
- if (!num_sge) {
- pr_dbg("num_sge=0\n");
-- complete_work(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
+- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
+ if (!num_sge || num_sge > MAX_SGE) {
+ pr_dbg("invalid num_sge=%d\n", num_sge);
-+ complete_work(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx);
++ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx);
return;
}
-@@ -603,9 +603,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
+@@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
}
pr_dbg("num_sge=%d\n", num_sge);
- if (!num_sge) {
- pr_dbg("num_sge=0\n");
-- complete_work(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
+- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
+ if (!num_sge || num_sge > MAX_SGE) {
+ pr_dbg("invalid num_sge=%d\n", num_sge);
-+ complete_work(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx);
++ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx);
return;
}
diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
index 054ae8513a..8329f2cfd0 100644
--- a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
+++ b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
@@ -18,14 +18,14 @@ Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia at oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum at gmail.com>
---
- hw/rdma/vmw/pvrdma_cmd.c | 37 ++++++++++++++++++++++++++-----------
- 1 file changed, 26 insertions(+), 11 deletions(-)
+ hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
-index f236ac4795..89920887bf 100644
+index 4faeb21..9b6796f 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
-@@ -313,6 +313,14 @@ out:
+@@ -310,6 +310,14 @@ out:
return rc;
}
@@ -40,17 +40,17 @@ index f236ac4795..89920887bf 100644
static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
union pvrdma_cmd_resp *rsp)
{
-@@ -335,6 +343,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
+@@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
- rc = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev, cmd->cqe,
- &resp->cq_handle, ring);
-+ if (rc) {
+ resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
+ cmd->cqe, &resp->cq_handle, ring);
++ if (resp->hdr.err) {
+ destroy_cq_ring(ring);
+ }
+
resp->cqe = cmd->cqe;
- return rc;
+ out:
@@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
}
@@ -63,7 +63,7 @@ index f236ac4795..89920887bf 100644
rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
-@@ -457,6 +466,17 @@ out:
+@@ -451,6 +460,17 @@ out:
return rc;
}
@@ -81,15 +81,19 @@ index f236ac4795..89920887bf 100644
static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
union pvrdma_cmd_resp *rsp)
{
-@@ -486,6 +506,7 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
- cmd->max_recv_sge, cmd->recv_cq_handle, rings,
- &resp->qpn);
- if (rc) {
-+ destroy_qp_rings(rings);
- return rc;
- }
+@@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
+ cmd->max_recv_wr, cmd->max_recv_sge,
+ cmd->recv_cq_handle, rings, &resp->qpn);
-@@ -558,13 +579,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
++ if (resp->hdr.err) {
++ destroy_qp_rings(rings);
++ return resp->hdr.err;
++ }
++
+ resp->max_send_wr = cmd->max_send_wr;
+ resp->max_recv_wr = cmd->max_recv_wr;
+ resp->max_send_sge = cmd->max_send_sge;
+@@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
ring = (PvrdmaRing *)qp->opaque;
--
2.20.0
More information about the Openembedded-core
mailing list