mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-09 17:39:31 +00:00
Code Issues Projects Releases Wiki Activity

qemu: fix CVE-2020-13659

Browse Source 
(From OE-Core rev: 1bf0e91512b2c157259ed529d1fc7ea7cdac1889)

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Sakib Sajal
2020-07-14 15:51:17 -04:00
committed by Richard Purdie
parent 55b7c62b76
commit 10e2b84149
2 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/qemu/qemu.inc
+1
View File
@@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://find_datadir.patch \ file://find_datadir.patch \
file://CVE-2020-10761.patch \ file://CVE-2020-10761.patch \
file://CVE-2020-13362.patch \ file://CVE-2020-13362.patch \
file://CVE-2020-13659.patch \
" "
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
+58
View File
@@ -0,0 +1,58 @@
From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 26 May 2020 16:47:43 +0530
Subject: [PATCH] exec: set map length to zero when returning NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When mapping physical memory into host's virtual address space,
'address_space_map' may return NULL if BounceBuffer is in_use.
Set and return '*plen = 0' to avoid later NULL pointer dereference.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82]
CVE: CVE-2020-13659
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
exec.c | 1 +
include/exec/memory.h | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/exec.c b/exec.c
index 9cbde85d8c..778263f1c6 100644
--- a/exec.c
+++ b/exec.c
@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as,
if (!memory_access_is_direct(mr, is_write)) {
if (atomic_xchg(&bounce.in_use, true)) {
+ *plen = 0;
return NULL;
}
/* Avoid unbounded allocations */
diff --git a/include/exec/memory.h b/include/exec/memory.h
index bd7fdd6081..af8ca7824e 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
/* address_space_map: map a physical memory region into a host virtual address
*
* May map a subset of the requested range, given by and returned in @plen.
- * May return %NULL if resources needed to perform the mapping are exhausted.
+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
+ * the mapping are exhausted.
* Use only for reads OR writes - not for read-modify-write operations.
* Use cpu_register_map_client() to know when retrying the map operation is
* likely to succeed.
--
2.20.1