mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

qemu: fix CVE-2021-3527

Browse Source 
(From OE-Core rev: 6774efd1e3d0bd5c8c34f84dcf4f698d7eafb36a)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Lee Chee Yang
2021-06-25 13:51:39 +08:00
committed by Richard Purdie
parent f0b9303004
commit 8444eacecd
3 changed files with 103 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
meta/recipes-devtools/qemu/qemu.inc
View File

@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \ file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \
file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \ file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \
file://0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch \ file://0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch \
file://CVE-2021-3527-1.patch \
file://CVE-2021-3527-2.patch \
" "
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"

42
meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch Normal file
View File

@@ -0,0 +1,42 @@
From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 3 May 2021 15:29:15 +0200
Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
usb-host and usb-redirect try to batch bulk transfers by combining many
small usb packets into a single, large transfer request, to reduce the
overhead and improve performance.
This patch adds a size limit of 1 MiB for those combined packets to
restrict the host resources the guest can bind that way.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
Upstream-Status: Backport
https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
CVE: CVE-2021-3527
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
hw/usb/combined-packet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
index 5d57e883dc..e56802f89a 100644
--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
next == NULL ||
/* Work around for Linux usbfs bulk splitting + migration */
- (totalsize == (16 * KiB - 36) && p->int_req)) {
+ (totalsize == (16 * KiB - 36) && p->int_req) ||
+ /* Next package may grow combined package over 1MiB */
+ totalsize > 1 * MiB - ep->max_packet_size) {
usb_device_handle_data(ep->dev, first);
assert(first->status == USB_RET_ASYNC);
if (first->combined) {
--
GitLab

59
meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch Normal file
View File

@@ -0,0 +1,59 @@
From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 3 May 2021 15:29:12 +0200
Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use autofree heap allocation instead.
Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
Upstream-Status: Backport
https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
CVE: CVE-2021-3527
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
hw/usb/redirect.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 17f06f3417..6a75b0dc4a 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
.endpoint = ep,
.length = p->iov.size
};
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
/* No id, we look at the ep when receiving a status back */
usb_packet_copy(p, buf, p->iov.size);
usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
usbredirparser_send_bulk_packet(dev->parser, p->id,
&bulk_packet, NULL, 0);
} else {
- uint8_t buf[size];
+ g_autofree uint8_t *buf = g_malloc(size);
usb_packet_copy(p, buf, size);
usbredir_log_data(dev, "bulk data out:", buf, size);
usbredirparser_send_bulk_packet(dev->parser, p->id,
@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
USBPacket *p, uint8_t ep)
{
struct usb_redir_interrupt_packet_header interrupt_packet;
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
p->iov.size, p->id);
--
GitLab