mirror of
https://git.yoctoproject.org/poky
synced 2026-04-26 09:32:14 +02:00
qemu: Fix for CVE-2024-24474
Upstream-Status: Backport
[77668e4b9b]
(From OE-Core rev: 71600de72c602e6d1ae2c3b13af6c59440affdb6)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
committed by
Steve Sakoman
Steve Sakoman
parent
e4f9b3aa4f
commit
b9aad2ed8a
@@ -103,6 +103,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
|
||||
file://CVE-2021-3638.patch \
|
||||
file://CVE-2023-1544.patch \
|
||||
file://CVE-2023-5088.patch \
|
||||
file://CVE-2024-24474.patch \
|
||||
"
|
||||
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
|
||||
|
||||
|
||||
44
meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch
Normal file
44
meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch
Normal file
@@ -0,0 +1,44 @@
|
||||
From 77668e4b9bca03a856c27ba899a2513ddf52bb52 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
||||
Date: Wed, 13 Sep 2023 21:44:09 +0100
|
||||
Subject: [PATCH] esp: restrict non-DMA transfer length to that of available
|
||||
data
|
||||
|
||||
In the case where a SCSI layer transfer is incorrectly terminated, it is
|
||||
possible for a TI command to cause a SCSI buffer overflow due to the
|
||||
expected transfer data length being less than the available data in the
|
||||
FIFO. When this occurs the unsigned async_len variable underflows and
|
||||
becomes a large offset which writes past the end of the allocated SCSI
|
||||
buffer.
|
||||
|
||||
Restrict the non-DMA transfer length to be the smallest of the expected
|
||||
transfer length and the available FIFO data to ensure that it is no longer
|
||||
possible for the SCSI buffer overflow to occur.
|
||||
|
||||
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
||||
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
|
||||
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
|
||||
Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52]
|
||||
CVE: CVE-2024-24474
|
||||
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||
---
|
||||
hw/scsi/esp.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 4218a6a96054..9b11d8c5738a 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s)
|
||||
}
|
||||
|
||||
if (to_device) {
|
||||
- len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ);
|
||||
+ len = MIN(s->async_len, ESP_FIFO_SZ);
|
||||
+ len = MIN(len, fifo8_num_used(&s->fifo));
|
||||
esp_fifo_pop_buf(&s->fifo, s->async_buf, len);
|
||||
s->async_buf += len;
|
||||
s->async_len -= len;
|
||||
Reference in New Issue
Block a user