mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 00:59:48 +00:00
Code Issues Projects Releases Wiki Activity

qemu: Secuirty fix for CVE-2016-5403

Browse Source 
affects qemu < 2.7.0-rc0

(From OE-Core rev: c53820180cdccd97de1f314078570fac1ff16052)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2016-09-19 20:01:16 -07:00
committed by Richard Purdie
parent 11c8c8aa15
commit 76aa0c3d5d
2 changed files with 68 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
+67
View File
@@ -0,0 +1,67 @@
From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Tue, 19 Jul 2016 13:07:13 +0100
Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
A broken or malicious guest can submit more requests than the virtqueue
size permits, causing unbounded memory allocation in QEMU.
The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size. This requires reusing
vring descriptors in more than one request, which is not allowed by the
VIRTIO 1.0 specification.
In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
says:
1. The driver places the buffer into free descriptor(s) in the
descriptor table, chaining as necessary
and
Note that the above code does not take precautions against the
available ring buffer wrapping around: this is not possible since the
ring buffer is the same size as the descriptor table, so step (1) will
prevent such a condition.
This implies that placing more buffers into the virtqueue than the
descriptor table size is not allowed.
QEMU is missing the check to prevent this case. Processing a request
allocates a VirtQueueElement leading to unbounded memory allocation
controlled by the guest.
Exit with an error if the guest provides more requests than the
virtqueue size permits. This bounds memory allocation and makes the
buggy guest visible to the user.
This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
Marvel Team, China.
Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Upstream-Status: Backport
CVE: CVE-2106-5403
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
hw/virtio/virtio.c | 5 +++++
1 file changed, 5 insertions(+)
Index: qemu-2.4.0/hw/virtio/virtio.c
===================================================================
--- qemu-2.4.0.orig/hw/virtio/virtio.c
+++ qemu-2.4.0/hw/virtio/virtio.c
@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
max = vq->vring.num;
+ if (vq->inuse >= vq->vring.num) {
+ error_report("Virtqueue size exceeded");
+ exit(1);
+ }
+
i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
vring_set_avail_event(vq, vq->last_avail_idx);
meta/recipes-devtools/qemu/qemu_2.5.0.bb
+1
View File
@@ -25,6 +25,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://CVE-2016-6351_p1.patch \ file://CVE-2016-6351_p1.patch \
file://CVE-2016-6351_p2.patch \ file://CVE-2016-6351_p2.patch \
file://CVE-2016-4002.patch \ file://CVE-2016-4002.patch \
file://CVE-2016-5403.patch \
" "
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"