* [PATCH][dizzy] qemu: CVE-2014-7840
@ 2015-08-18 8:45 Sona Sarmadi
2015-08-20 1:03 ` akuster808
0 siblings, 1 reply; 2+ messages in thread
From: Sona Sarmadi @ 2015-08-18 8:45 UTC (permalink / raw)
To: openembedded-core
Fixes insufficient parameter validation during ram load
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840
Upstream commit:
http://git.qemu.org/?p=qemu.git;a=commit;
h=0be839a2701369f669532ea5884c15bead1c6e08
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
.../recipes-devtools/qemu/qemu/CVE-2014-7840.patch | 57 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
new file mode 100644
index 0000000..4f992ba
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
@@ -0,0 +1,57 @@
+From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 12 Nov 2014 11:44:39 +0200
+Subject: [PATCH] migration: fix parameter validation on ram load
+
+During migration, the values read from migration stream during ram load
+are not validated. Especially offset in host_from_stream_offset() and
+also the length of the writes in the callers of said function.
+
+To fix this, we need to make sure that the [offset, offset + length]
+range fits into one of the allocated memory regions.
+
+Validating addr < len should be sufficient since data seems to always be
+managed in TARGET_PAGE_SIZE chunks.
+
+Fixes: CVE-2014-7840
+
+Upstream-Status: Backport
+
+Note: follow-up patches add extra checks on each block->host access.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ arch_init.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch_init.c b/arch_init.c
+index 88a5ba0..593a990 100644
+--- a/arch_init.c
++++ b/arch_init.c
+@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f,
+ uint8_t len;
+
+ if (flags & RAM_SAVE_FLAG_CONTINUE) {
+- if (!block) {
++ if (!block || block->length <= offset) {
+ error_report("Ack, bad migration stream!");
+ return NULL;
+ }
+@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f,
+ id[len] = 0;
+
+ QTAILQ_FOREACH(block, &ram_list.blocks, next) {
+- if (!strncmp(id, block->idstr, sizeof(id)))
++ if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
+ return memory_region_get_ram_ptr(block->mr) + offset;
++ }
+ }
+
+ error_report("Can't find block %s!", id);
+--
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
index d0ce744..5e5ecf0 100644
--- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
file://0001-Back-porting-security-fix-CVE-2014-5388.patch \
file://qemu-CVE-2015-3456.patch \
+ file://CVE-2014-7840.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"
--
1.9.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH][dizzy] qemu: CVE-2014-7840
2015-08-18 8:45 [PATCH][dizzy] qemu: CVE-2014-7840 Sona Sarmadi
@ 2015-08-20 1:03 ` akuster808
0 siblings, 0 replies; 2+ messages in thread
From: akuster808 @ 2015-08-20 1:03 UTC (permalink / raw)
To: Sona Sarmadi, openembedded-core
On 8/18/15 1:45 AM, Sona Sarmadi wrote:
> Fixes insufficient parameter validation during ram load
>
> Reference
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840
>
> Upstream commit:
> http://git.qemu.org/?p=qemu.git;a=commit;
> h=0be839a2701369f669532ea5884c15bead1c6e08
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Merged to staging,
Thanks,
Armin
> ---
> .../recipes-devtools/qemu/qemu/CVE-2014-7840.patch | 57 ++++++++++++++++++++++
> meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 +
> 2 files changed, 58 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
> new file mode 100644
> index 0000000..4f992ba
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
> @@ -0,0 +1,57 @@
> +From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001
> +From: "Michael S. Tsirkin" <mst@redhat.com>
> +Date: Wed, 12 Nov 2014 11:44:39 +0200
> +Subject: [PATCH] migration: fix parameter validation on ram load
> +
> +During migration, the values read from migration stream during ram load
> +are not validated. Especially offset in host_from_stream_offset() and
> +also the length of the writes in the callers of said function.
> +
> +To fix this, we need to make sure that the [offset, offset + length]
> +range fits into one of the allocated memory regions.
> +
> +Validating addr < len should be sufficient since data seems to always be
> +managed in TARGET_PAGE_SIZE chunks.
> +
> +Fixes: CVE-2014-7840
> +
> +Upstream-Status: Backport
> +
> +Note: follow-up patches add extra checks on each block->host access.
> +
> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> +Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
> +Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> +Signed-off-by: Amit Shah <amit.shah@redhat.com>
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> + arch_init.c | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/arch_init.c b/arch_init.c
> +index 88a5ba0..593a990 100644
> +--- a/arch_init.c
> ++++ b/arch_init.c
> +@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f,
> + uint8_t len;
> +
> + if (flags & RAM_SAVE_FLAG_CONTINUE) {
> +- if (!block) {
> ++ if (!block || block->length <= offset) {
> + error_report("Ack, bad migration stream!");
> + return NULL;
> + }
> +@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f,
> + id[len] = 0;
> +
> + QTAILQ_FOREACH(block, &ram_list.blocks, next) {
> +- if (!strncmp(id, block->idstr, sizeof(id)))
> ++ if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
> + return memory_region_get_ram_ptr(block->mr) + offset;
> ++ }
> + }
> +
> + error_report("Can't find block %s!", id);
> +--
> +1.9.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
> index d0ce744..5e5ecf0 100644
> --- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb
> +++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
> @@ -8,6 +8,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
> file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
> file://0001-Back-porting-security-fix-CVE-2014-5388.patch \
> file://qemu-CVE-2015-3456.patch \
> + file://CVE-2014-7840.patch \
> "
> SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
> SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-08-20 1:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-18 8:45 [PATCH][dizzy] qemu: CVE-2014-7840 Sona Sarmadi
2015-08-20 1:03 ` akuster808
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox