diff options
| author | Daniel NĂ©ri <dne+alpine@mayonnaise.net> | 2020-09-07 23:02:33 +0200 |
|---|---|---|
| committer | Leo <thinkabit.ukim@gmail.com> | 2020-09-09 03:03:22 +0000 |
| commit | 52e19c8d43c3288d582e6b9cf7a0d8244cfd5190 (patch) | |
| tree | 4671fc84e24d83764e0d9bdb0d96440483466420 | |
| parent | 5956c1bcf15683cac4ac1bdc354394e033def299 (diff) | |
community/qemu: security fix for CVE-2020-14364
| -rw-r--r-- | community/qemu/0001-usb-fix-setup_len-init.patch | 84 | ||||
| -rw-r--r-- | community/qemu/APKBUILD | 6 |
2 files changed, 89 insertions, 1 deletions
diff --git a/community/qemu/0001-usb-fix-setup_len-init.patch b/community/qemu/0001-usb-fix-setup_len-init.patch new file mode 100644 index 00000000000..d8c8e615d5c --- /dev/null +++ b/community/qemu/0001-usb-fix-setup_len-init.patch @@ -0,0 +1,84 @@ +>From c5bd2924c6d6a5bcbffb8b5e7798a88970131c07 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 17 Aug 2020 08:34:22 +0200 +Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) + +Store calculated setup_len in a local variable, verify it, and only +write it to the struct (USBDevice->setup_len) in case it passed the +sanity checks. + +This prevents other code (do_token_{in,out} functions specifically) +from working with invalid USBDevice->setup_len values and overrunning +the USBDevice->setup_buf[] buffer. + +Fixes: CVE-2020-14364 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/usb/core.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/hw/usb/core.c b/hw/usb/core.c +index 5abd128b6bc5..5234dcc73fea 100644 +--- a/hw/usb/core.c ++++ b/hw/usb/core.c +@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) + static void do_token_setup(USBDevice *s, USBPacket *p) + { + int request, value, index; ++ unsigned int setup_len; + + if (p->iov.size != 8) { + p->status = USB_RET_STALL; +@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) + usb_packet_copy(p, s->setup_buf, p->iov.size); + s->setup_index = 0; + p->actual_length = 0; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; +@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) + static void do_parameter(USBDevice *s, USBPacket *p) + { + int i, request, value, index; ++ unsigned int setup_len; + + for (i = 0; i < 8; i++) { + s->setup_buf[i] = p->parameter >> (i*8); + } + + s->setup_state = SETUP_STATE_PARAM; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + s->setup_index = 0; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; + index = (s->setup_buf[5] << 8) | s->setup_buf[4]; + +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + if (p->pid == USB_TOKEN_OUT) { + usb_packet_copy(p, s->data_buf, s->setup_len); +-- +2.18.4 diff --git a/community/qemu/APKBUILD b/community/qemu/APKBUILD index bfbf9f3d8ee..53218009208 100644 --- a/community/qemu/APKBUILD +++ b/community/qemu/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=qemu pkgver=5.0.0 -pkgrel=1 +pkgrel=2 pkgdesc="QEMU is a generic machine emulator and virtualizer" url="https://qemu.org/" arch="all" @@ -165,6 +165,7 @@ source="https://wiki.qemu-project.org/download/qemu-$pkgver.tar.xz fix-sockios-header.patch test-crypto-ivgen-skip-essiv.patch guest-agent-shutdown.patch + 0001-usb-fix-setup_len-init.patch $pkgname-guest-agent.confd $pkgname-guest-agent.initd @@ -173,6 +174,8 @@ source="https://wiki.qemu-project.org/download/qemu-$pkgver.tar.xz " # secfixes: +# 5.0.0-r2: +# - CVE-2020-14364 # 2.8.1-r1: # - CVE-2016-7994 # - CVE-2016-7995 @@ -402,6 +405,7 @@ d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6a 39590476a4ebd7c1e79a4f0451b24c75b1817a2a83abaa1f71bb60b225d772152f0af8f3e51ff65645e378c536ffa6ff551dade52884d03a14b7c6a19c5c97d4 fix-sockios-header.patch 8b8db136f78bd26b5da171effa9e11016ec2bc3e2fc8107228b5543b47aa370978ed883794aa4f917f334e284a5b49e82070e1da2d31d49301195b6713a48eff test-crypto-ivgen-skip-essiv.patch b8e58bcc409f25cc6ff59967ed68f4de0a8656ec4db71ab663cc77761f8210b3f85c475fceb32dec934dc02a5c4f679a8313edbcf84e149692a81764c8904f67 guest-agent-shutdown.patch +708e38bdd758a06aa3a269aafc8eca1717b2e70dca4c06e5c8936ae3dbd6e64e43eb4a065bda4cf2216797eea72ab8457fd5a5a796fcca72e48344a0d40d9ef4 0001-usb-fix-setup_len-init.patch d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd 1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6 qemu-guest-agent.initd 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules |