aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel NĂ©ri <dne+alpine@mayonnaise.net>2020-09-07 23:02:33 +0200
committerLeo <thinkabit.ukim@gmail.com>2020-09-09 03:03:22 +0000
commit52e19c8d43c3288d582e6b9cf7a0d8244cfd5190 (patch)
tree4671fc84e24d83764e0d9bdb0d96440483466420
parent5956c1bcf15683cac4ac1bdc354394e033def299 (diff)
community/qemu: security fix for CVE-2020-14364
-rw-r--r--community/qemu/0001-usb-fix-setup_len-init.patch84
-rw-r--r--community/qemu/APKBUILD6
2 files changed, 89 insertions, 1 deletions
diff --git a/community/qemu/0001-usb-fix-setup_len-init.patch b/community/qemu/0001-usb-fix-setup_len-init.patch
new file mode 100644
index 00000000000..d8c8e615d5c
--- /dev/null
+++ b/community/qemu/0001-usb-fix-setup_len-init.patch
@@ -0,0 +1,84 @@
+>From c5bd2924c6d6a5bcbffb8b5e7798a88970131c07 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 17 Aug 2020 08:34:22 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128b6bc5..5234dcc73fea 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+ int request, value, index;
++ unsigned int setup_len;
+
+ if (p->iov.size != 8) {
+ p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+ usb_packet_copy(p, s->setup_buf, p->iov.size);
+ s->setup_index = 0;
+ p->actual_length = 0;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+ int i, request, value, index;
++ unsigned int setup_len;
+
+ for (i = 0; i < 8; i++) {
+ s->setup_buf[i] = p->parameter >> (i*8);
+ }
+
+ s->setup_state = SETUP_STATE_PARAM;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+ s->setup_index = 0;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+ index = (s->setup_buf[5] << 8) | s->setup_buf[4];
+
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ if (p->pid == USB_TOKEN_OUT) {
+ usb_packet_copy(p, s->data_buf, s->setup_len);
+--
+2.18.4
diff --git a/community/qemu/APKBUILD b/community/qemu/APKBUILD
index bfbf9f3d8ee..53218009208 100644
--- a/community/qemu/APKBUILD
+++ b/community/qemu/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=qemu
pkgver=5.0.0
-pkgrel=1
+pkgrel=2
pkgdesc="QEMU is a generic machine emulator and virtualizer"
url="https://qemu.org/"
arch="all"
@@ -165,6 +165,7 @@ source="https://wiki.qemu-project.org/download/qemu-$pkgver.tar.xz
fix-sockios-header.patch
test-crypto-ivgen-skip-essiv.patch
guest-agent-shutdown.patch
+ 0001-usb-fix-setup_len-init.patch
$pkgname-guest-agent.confd
$pkgname-guest-agent.initd
@@ -173,6 +174,8 @@ source="https://wiki.qemu-project.org/download/qemu-$pkgver.tar.xz
"
# secfixes:
+# 5.0.0-r2:
+# - CVE-2020-14364
# 2.8.1-r1:
# - CVE-2016-7994
# - CVE-2016-7995
@@ -402,6 +405,7 @@ d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6a
39590476a4ebd7c1e79a4f0451b24c75b1817a2a83abaa1f71bb60b225d772152f0af8f3e51ff65645e378c536ffa6ff551dade52884d03a14b7c6a19c5c97d4 fix-sockios-header.patch
8b8db136f78bd26b5da171effa9e11016ec2bc3e2fc8107228b5543b47aa370978ed883794aa4f917f334e284a5b49e82070e1da2d31d49301195b6713a48eff test-crypto-ivgen-skip-essiv.patch
b8e58bcc409f25cc6ff59967ed68f4de0a8656ec4db71ab663cc77761f8210b3f85c475fceb32dec934dc02a5c4f679a8313edbcf84e149692a81764c8904f67 guest-agent-shutdown.patch
+708e38bdd758a06aa3a269aafc8eca1717b2e70dca4c06e5c8936ae3dbd6e64e43eb4a065bda4cf2216797eea72ab8457fd5a5a796fcca72e48344a0d40d9ef4 0001-usb-fix-setup_len-init.patch
d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd
1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6 qemu-guest-agent.initd
9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules