* Tue Apr 23 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 3.1.0-23.el8
- kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch [bz#1693173] - Resolves: bz#1693173 (CVE-2018-20815 qemu-kvm: QEMU: device_tree: heap buffer overflow while loading device tree blob [rhel-av-8])
This commit is contained in:
Danilo C. L. de Paula
parent
e54536d6cd
commit
7d4fc9ff68
@ -0,0 +1,60 @@
|
||||
From 1aefd1b8a1dbbf63d28901081102b31455f96290 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Lopez Pascual <slp@redhat.com>
|
||||
Date: Mon, 15 Apr 2019 12:22:02 +0100
|
||||
Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Sergio Lopez Pascual <slp@redhat.com>
|
||||
Message-id: <20190415122202.52108-2-slp@redhat.com>
|
||||
Patchwork-id: 85670
|
||||
O-Subject: [RHEL-AV-8.0.1 qemu-kvm PATCH 1/1] device_tree: Fix integer overflowing in load_device_tree()
|
||||
Bugzilla: 1693173
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
|
||||
|
||||
From: Markus Armbruster <armbru@redhat.com>
|
||||
|
||||
If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
|
||||
computation of @dt_size overflows to a negative number, which then
|
||||
gets converted to a very large size_t for g_malloc0() and
|
||||
load_image_size(). In the (fortunately improbable) case g_malloc0()
|
||||
succeeds and load_image_size() survives, we'd assign the negative
|
||||
number to *sizep. What that would do to the callers I can't say, but
|
||||
it's unlikely to be good.
|
||||
|
||||
Fix by rejecting images whose size would overflow.
|
||||
|
||||
Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com>
|
||||
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
||||
Message-Id: <20190409174018.25798-1-armbru@redhat.com>
|
||||
(cherry picked from 065e6298a75164b4347682b63381dbe752c2b156)
|
||||
Signed-off-by: Sergio Lopez <slp@redhat.com>
|
||||
|
||||
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
||||
---
|
||||
device_tree.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/device_tree.c b/device_tree.c
|
||||
index 6d9c972..fe61027 100644
|
||||
--- a/device_tree.c
|
||||
+++ b/device_tree.c
|
||||
@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
|
||||
filename_path);
|
||||
goto fail;
|
||||
}
|
||||
+ if (dt_size > INT_MAX / 2 - 10000) {
|
||||
+ error_report("Device tree file '%s' is too large", filename_path);
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
/* Expand to 2x size to give enough room for manipulation. */
|
||||
dt_size += 10000;
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -69,7 +69,7 @@ Obsoletes: %1-rhev
|
||||
Summary: QEMU is a machine emulator and virtualizer
|
||||
Name: qemu-kvm
|
||||
Version: 3.1.0
|
||||
Release: 22%{?dist}
|
||||
Release: 23%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 15
|
||||
License: GPLv2 and GPLv2+ and CC-BY
|
||||
@ -241,6 +241,8 @@ Patch78: kvm-block-file-posix-do-not-fail-on-unlock-bytes.patch
|
||||
Patch79: kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch
|
||||
# For bz#1687578 - Incorrect CVE vulnerabilities reported on Cascade Lake cpus
|
||||
Patch80: kvm-i386-Make-arch_capabilities-migratable.patch
|
||||
# For bz#1693173 - CVE-2018-20815 qemu-kvm: QEMU: device_tree: heap buffer overflow while loading device tree blob [rhel-av-8]
|
||||
Patch81: kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch
|
||||
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: glib2-devel
|
||||
@ -1139,6 +1141,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Apr 23 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 3.1.0-23.el8
|
||||
- kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch [bz#1693173]
|
||||
- Resolves: bz#1693173
|
||||
(CVE-2018-20815 qemu-kvm: QEMU: device_tree: heap buffer overflow while loading device tree blob [rhel-av-8])
|
||||
|
||||
* Mon Apr 15 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 3.1.0-22.el8
|
||||
- kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch [bz#1687578]
|
||||
- kvm-i386-Make-arch_capabilities-migratable.patch [bz#1687578]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user