Adrian,
On 11/03/2016 07:18 AM, Adrian Dudau wrote:
affects qemu < 2.7.0 Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation support is vulnerable to an OOB write access issue. The controller uses 16-byte FIFO buffer for command and data transfer. The OOB write occurs while writing to this command buffer in routine get_cmd(). A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. References: ---------- http://www.openwall.com/lists/oss-security/2016/05/19/4 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4441 Signed-off-by: Adrian Dudau <adrian.du...@enea.com> --- .../recipes-devtools/qemu/qemu/CVE-2016-4441.patch | 78 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch new file mode 100644 index 0000000..3cbe394 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch @@ -0,0 +1,78 @@ +From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <p...@fedoraproject.org> +Date: Thu, 19 May 2016 16:09:31 +0530 +Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441) + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() uses DMA to read scsi commands into this buffer. +Add check to validate DMA length against buffer size to avoid any +overrun. + +Fixes CVE-2016-4441. +
Correct or include the CVE tag on cve patch with format:'CVE: CVE-YYYY-XXXX' -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
