Accepting request 829654 from home:bfrogers:branches:Virtualization
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) (somehow our script processing the patches stripped the first character "u" - will address later) sb-fix-setup_len-init-CVE-2020-14364.patch - Re-sync openSUSE and SUSE SLE qemu packages. This changes file is the openSUSE one with this entry providing the intervening SLE CVE, JIRA, and bugzilla references, which are still addressed in this package, and not yet called out in this changes file. * CVE-2020-1983 CVE-2020-10761 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13800 * bsc#1167816 bsc#1170940 boo#1171712 bsc#1172383 bsc#1172384 bsc#1172386 bsc#1172495 bsc#1172710 * Patches dropped (SLE) (included in current release tarball): exec-set-map-length-to-zero-when-returni.patch i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch megasas-use-unsigned-type-for-reply_queu.patch OBS-URL: https://build.opensuse.org/request/show/829654 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=565
This commit is contained in:
parent
f782d4da61
commit
fe7354f6c5
@ -1,3 +1,3 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
version https://git-lfs.github.com/spec/v1
|
||||||
oid sha256:4005d41755ab814b7f88da9452909fa6133c3ecaa71dff6d060aa50c3b6de2d7
|
oid sha256:054c58f5b1cdb6d78098cb77f119d414a5a2ad4950869a00eb6df2201ecddbbf
|
||||||
size 34956
|
size 35496
|
||||||
|
21
qemu.changes
21
qemu.changes
@ -1,3 +1,24 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 25 22:42:27 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
||||||
|
|
||||||
|
- Fix OOB access while processing USB packets (CVE-2020-14364
|
||||||
|
bsc#1175441)
|
||||||
|
(somehow our script processing the patches stripped the first
|
||||||
|
character "u" - will address later)
|
||||||
|
sb-fix-setup_len-init-CVE-2020-14364.patch
|
||||||
|
- Re-sync openSUSE and SUSE SLE qemu packages. This changes file
|
||||||
|
is the openSUSE one with this entry providing the intervening
|
||||||
|
SLE CVE, JIRA, and bugzilla references, which are still addressed
|
||||||
|
in this package, and not yet called out in this changes file.
|
||||||
|
* CVE-2020-1983 CVE-2020-10761 CVE-2020-13361 CVE-2020-13362
|
||||||
|
CVE-2020-13659 CVE-2020-13800
|
||||||
|
* bsc#1167816 bsc#1170940 boo#1171712 bsc#1172383 bsc#1172384
|
||||||
|
bsc#1172386 bsc#1172495 bsc#1172710
|
||||||
|
* Patches dropped (SLE) (included in current release tarball):
|
||||||
|
exec-set-map-length-to-zero-when-returni.patch
|
||||||
|
i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch
|
||||||
|
megasas-use-unsigned-type-for-reply_queu.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Aug 20 13:19:12 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
Thu Aug 20 13:19:12 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
||||||
|
|
||||||
|
86
sb-fix-setup_len-init-CVE-2020-14364.patch
Normal file
86
sb-fix-setup_len-init-CVE-2020-14364.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Date: Tue, 25 Aug 2020 07:36:36 +0200
|
||||||
|
Subject: usb: fix setup_len init (CVE-2020-14364)
|
||||||
|
|
||||||
|
Git-commit: 0000000000000000000000000000000000000000
|
||||||
|
References: bsc#1175441, CVE-2020-14364
|
||||||
|
|
||||||
|
Store calculated setup_len in a local variable, verify it, and only
|
||||||
|
write it to the struct (USBDevice->setup_len) in case it passed the
|
||||||
|
sanity checks.
|
||||||
|
|
||||||
|
This prevents other code (do_token_{in,out} functions specifically)
|
||||||
|
from working with invalid USBDevice->setup_len values and overrunning
|
||||||
|
the USBDevice->setup_buf[] buffer.
|
||||||
|
|
||||||
|
Fixes: CVE-2020-14364
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Tested-by: Gonglei <arei.gonglei@huawei.com>
|
||||||
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||||
|
---
|
||||||
|
hw/usb/core.c | 16 ++++++++++------
|
||||||
|
1 file changed, 10 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/core.c b/hw/usb/core.c
|
||||||
|
index 5abd128b6bc5f5440e18b143fe41..5234dcc73fea6012f7143f307640 100644
|
||||||
|
--- a/hw/usb/core.c
|
||||||
|
+++ b/hw/usb/core.c
|
||||||
|
@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
|
||||||
|
static void do_token_setup(USBDevice *s, USBPacket *p)
|
||||||
|
{
|
||||||
|
int request, value, index;
|
||||||
|
+ unsigned int setup_len;
|
||||||
|
|
||||||
|
if (p->iov.size != 8) {
|
||||||
|
p->status = USB_RET_STALL;
|
||||||
|
@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
|
||||||
|
usb_packet_copy(p, s->setup_buf, p->iov.size);
|
||||||
|
s->setup_index = 0;
|
||||||
|
p->actual_length = 0;
|
||||||
|
- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
|
||||||
|
- if (s->setup_len > sizeof(s->data_buf)) {
|
||||||
|
+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
|
||||||
|
+ if (setup_len > sizeof(s->data_buf)) {
|
||||||
|
fprintf(stderr,
|
||||||
|
"usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
|
||||||
|
- s->setup_len, sizeof(s->data_buf));
|
||||||
|
+ setup_len, sizeof(s->data_buf));
|
||||||
|
p->status = USB_RET_STALL;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
+ s->setup_len = setup_len;
|
||||||
|
|
||||||
|
request = (s->setup_buf[0] << 8) | s->setup_buf[1];
|
||||||
|
value = (s->setup_buf[3] << 8) | s->setup_buf[2];
|
||||||
|
@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
|
||||||
|
static void do_parameter(USBDevice *s, USBPacket *p)
|
||||||
|
{
|
||||||
|
int i, request, value, index;
|
||||||
|
+ unsigned int setup_len;
|
||||||
|
|
||||||
|
for (i = 0; i < 8; i++) {
|
||||||
|
s->setup_buf[i] = p->parameter >> (i*8);
|
||||||
|
}
|
||||||
|
|
||||||
|
s->setup_state = SETUP_STATE_PARAM;
|
||||||
|
- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
|
||||||
|
s->setup_index = 0;
|
||||||
|
|
||||||
|
request = (s->setup_buf[0] << 8) | s->setup_buf[1];
|
||||||
|
value = (s->setup_buf[3] << 8) | s->setup_buf[2];
|
||||||
|
index = (s->setup_buf[5] << 8) | s->setup_buf[4];
|
||||||
|
|
||||||
|
- if (s->setup_len > sizeof(s->data_buf)) {
|
||||||
|
+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
|
||||||
|
+ if (setup_len > sizeof(s->data_buf)) {
|
||||||
|
fprintf(stderr,
|
||||||
|
"usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
|
||||||
|
- s->setup_len, sizeof(s->data_buf));
|
||||||
|
+ setup_len, sizeof(s->data_buf));
|
||||||
|
p->status = USB_RET_STALL;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
+ s->setup_len = setup_len;
|
||||||
|
|
||||||
|
if (p->pid == USB_TOKEN_OUT) {
|
||||||
|
usb_packet_copy(p, s->data_buf, s->setup_len);
|
Loading…
Reference in New Issue
Block a user