[thud][PATCH] qemu: Security fixes CVE-2018-20815 CVE-2019-9824

[thud][PATCH] qemu: Security fixes CVE-2018-20815 CVE-2019-9824

[Armin Kuster]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 7796 bytes --]

From: Armin Kuster <akuster@mvista.com>

Source: qemu.org
MR: 98623
Type: Security Fix
Disposition: Backport from qemu.org
ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37
Description:

Fixes both CVE-2018-20815 and CVE-2019-9824

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../qemu/qemu/CVE-2018-20815_p1.patch              | 42 +++++++++++++++++
 .../qemu/qemu/CVE-2018-20815_p2.patch              | 52 ++++++++++++++++++++++
 .../recipes-devtools/qemu/qemu/CVE-2019-9824.patch | 47 +++++++++++++++++++
 meta/recipes-devtools/qemu/qemu_3.0.0.bb           |  3 ++
 4 files changed, 144 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch
new file mode 100644
index 0000000..c3a5981
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch
@@ -0,0 +1,42 @@
+From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Fri, 14 Dec 2018 13:30:52 +0000
+Subject: [PATCH] device_tree.c: Don't use load_image()
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
+
+Upstream-Status: Backport
+CVE: CVE-2018-20815
+affects <= 3.0.1
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c972..296278e 100644
+--- a/device_tree.c
++++ b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+     /* First allocate space in qemu for device tree */
+     fdt = g_malloc0(dt_size);
+ 
+-    dt_file_load_size = load_image(filename_path, fdt);
++    dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+     if (dt_file_load_size < 0) {
+         error_report("Unable to open device tree file '%s'",
+                      filename_path);
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
new file mode 100644
index 0000000..d01e874
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch
@@ -0,0 +1,52 @@
+From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Tue, 9 Apr 2019 19:40:18 +0200
+Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
+computation of @dt_size overflows to a negative number, which then
+gets converted to a very large size_t for g_malloc0() and
+load_image_size().  In the (fortunately improbable) case g_malloc0()
+succeeds and load_image_size() survives, we'd assign the negative
+number to *sizep.  What that would do to the callers I can't say, but
+it's unlikely to be good.
+
+Fix by rejecting images whose size would overflow.
+
+Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com>
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20190409174018.25798-1-armbru@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2018-20815
+affects <= 3.0.1
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ device_tree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/device_tree.c b/device_tree.c
+index 296278e..f8b46b3 100644
+--- a/device_tree.c
++++ b/device_tree.c
+@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
+                      filename_path);
+         goto fail;
+     }
++    if (dt_size > INT_MAX / 2 - 10000) {
++        error_report("Device tree file '%s' is too large", filename_path);
++        goto fail;
++    }
+ 
+     /* Expand to 2x size to give enough room for manipulation.  */
+     dt_size += 10000;
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
new file mode 100644
index 0000000..7f83006
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
@@ -0,0 +1,47 @@
+From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001
+From: William Bowling <will@wbowling.info>
+Date: Fri, 1 Mar 2019 21:45:56 +0000
+Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Upstream-Status: Backport
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8
+CVE: CVE-2019-9824
+affects < 4.0.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: qemu-3.0.0/slirp/tcp_subr.c
+===================================================================
+--- qemu-3.0.0.orig/slirp/tcp_subr.c
++++ qemu-3.0.0/slirp/tcp_subr.c
+@@ -662,12 +662,12 @@ tcp_emu(struct socket *so, struct mbuf *
+ 							break;
+ 						}
+ 					}
++                so_rcv->sb_cc = snprintf(so_rcv->sb_data, 
++                                         so_rcv->sb_datalen,
++                                         "%d,%d\r\n", n1, n2);
++                so_rcv->sb_rptr = so_rcv->sb_data;
++                so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 				}
+-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-                                                         so_rcv->sb_datalen,
+-                                                         "%d,%d\r\n", n1, n2);
+-				so_rcv->sb_rptr = so_rcv->sb_data;
+-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 			}
+ 			m_free(m);
+ 			return 0;
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 63a6468..b591cc24 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -32,6 +32,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2018-19364_p2.patch \
            file://CVE-2018-19489.patch \
            file://CVE-2019-12155.patch \
+           file://CVE-2018-20815_p1.patch \
+           file://CVE-2018-20815_p2.patch \
+           file://CVE-2019-9824.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
-- 
2.7.4

✗ patchtest: failure for qemu: Security fixes CVE-2018-20815 CVE-2019-9824

[Patchwork]

== Series Details ==

Series: qemu: Security fixes CVE-2018-20815 CVE-2019-9824
Revision: 1
URL   : https://patchwork.openembedded.org/series/18484/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  thud (currently at f162d5bfe6)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe