Re: [OE-core] [PATCH] qemu: Security Advisory - qemu - CVE-2019-15890
On Wed, 2019-09-11 at 15:51 +0800, zhou li wrote: > On 2019/09/11 15:38, Mittal, Anuj wrote: > > On Wed, 2019-09-11 at 14:02 +0800, Li Zhou wrote: > > > Backporting patch from > > > https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943 > > > to solve CVE-2019-15890. > > > > > > Signed-off-by: Li Zhou > > > --- > > > meta/recipes-devtools/qemu/qemu.inc| 1 + > > > .../qemu/qemu/CVE-2019-15890.patch | 48 > > > ++ > > > 2 files changed, 49 insertions(+) > > > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019- > > > 15890.patch > > > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes- > > > devtools/qemu/qemu.inc > > > index 241f9db..de21d30 100644 > > > --- a/meta/recipes-devtools/qemu/qemu.inc > > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > > @@ -23,6 +23,7 @@ SRC_URI = " > > > https://download.qemu.org/${BPN}-${PV}.tar.xz \ > > > file://0008-linux-user-Fix-webkitgtk-hangs-on-32- > > > bit-x86- > > > target.patch \ > > > file://0009-Fix-webkitgtk-builds.patch \ > > > file://0010-configure-Add-pkg-config-handling-for- > > > libgcrypt.patch \ > > > + file://CVE-2019-15890.patch \ > > > " > > > UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" > > > > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch > > > new file mode 100644 > > > index 000..1d89431 > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch > > > @@ -0,0 +1,48 @@ > > > +From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 > > > 00:00:00 > > > 2001 > > > +From: Li Zhou > > Can you please fix the author name here? > > Do you mean it should be the original author? > > Here is my name because I have adapted sth (the file path) in the > patch. > Yes, it should still reflect the name of original author here. > Should I change it back by hand here? > git commit --amend --author "name " should help. Thanks, Anuj -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] qemu: Security Advisory - qemu - CVE-2019-15890
On 2019/09/11 15:38, Mittal, Anuj wrote: On Wed, 2019-09-11 at 14:02 +0800, Li Zhou wrote: Backporting patch from https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943 to solve CVE-2019-15890. Signed-off-by: Li Zhou --- meta/recipes-devtools/qemu/qemu.inc| 1 + .../qemu/qemu/CVE-2019-15890.patch | 48 ++ 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019- 15890.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes- devtools/qemu/qemu.inc index 241f9db..de21d30 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -23,6 +23,7 @@ SRC_URI = " https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86- target.patch \ file://0009-Fix-webkitgtk-builds.patch \ file://0010-configure-Add-pkg-config-handling-for- libgcrypt.patch \ + file://CVE-2019-15890.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch new file mode 100644 index 000..1d89431 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch @@ -0,0 +1,48 @@ +From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00 2001 +From: Li Zhou Can you please fix the author name here? Do you mean it should be the original author? Here is my name because I have adapted sth (the file path) in the patch. Should I change it back by hand here? Thanks. Thanks, Anuj -- Best Regards! Zhou Li Phone number: 86-10-84778511 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] qemu: Security Advisory - qemu - CVE-2019-15890
On Wed, 2019-09-11 at 14:02 +0800, Li Zhou wrote: > Backporting patch from > https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943 > to solve CVE-2019-15890. > > Signed-off-by: Li Zhou > --- > meta/recipes-devtools/qemu/qemu.inc| 1 + > .../qemu/qemu/CVE-2019-15890.patch | 48 > ++ > 2 files changed, 49 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019- > 15890.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes- > devtools/qemu/qemu.inc > index 241f9db..de21d30 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -23,6 +23,7 @@ SRC_URI = " > https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86- > target.patch \ > file://0009-Fix-webkitgtk-builds.patch \ > file://0010-configure-Add-pkg-config-handling-for- > libgcrypt.patch \ > + file://CVE-2019-15890.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch > new file mode 100644 > index 000..1d89431 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch > @@ -0,0 +1,48 @@ > +From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00 > 2001 > +From: Li Zhou Can you please fix the author name here? Thanks, Anuj -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] qemu: Security Advisory - qemu - CVE-2019-15890
Backporting patch from https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943 to solve CVE-2019-15890. Signed-off-by: Li Zhou --- meta/recipes-devtools/qemu/qemu.inc| 1 + .../qemu/qemu/CVE-2019-15890.patch | 48 ++ 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 241f9db..de21d30 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -23,6 +23,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ file://0009-Fix-webkitgtk-builds.patch \ file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ + file://CVE-2019-15890.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch new file mode 100644 index 000..1d89431 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch @@ -0,0 +1,48 @@ +From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00 2001 +From: Li Zhou +Date: Tue, 10 Sep 2019 20:02:15 -0700 +Subject: [PATCH] ip_reass: Fix use after free + +Using ip_deq after m_free might read pointers from an allocation reuse. + +This would be difficult to exploit, but that is still related with +CVE-2019-14378 which generates fragmented IP packets that would trigger this +issue and at least produce a DoS. + +Signed-off-by: Samuel Thibault + +Upstream-Status: Backport +CVE: CVE-2019-15890 +Signed-off-by: Li Zhou +--- + slirp/src/ip_input.c | 6 -- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c +index 8c75d914..c07d7d40 100644 +--- a/slirp/src/ip_input.c b/slirp/src/ip_input.c +@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) + */ + while (q != (struct ipasfrag *)>frag_link && +ip->ip_off + ip->ip_len > q->ipf_off) { ++struct ipasfrag *prev; + i = (ip->ip_off + ip->ip_len) - q->ipf_off; + if (i < q->ipf_len) { + q->ipf_len -= i; +@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) + m_adj(dtom(slirp, q), i); + break; + } ++prev = q; + q = q->ipf_next; +-m_free(dtom(slirp, q->ipf_prev)); +-ip_deq(q->ipf_prev); ++ip_deq(prev); ++m_free(dtom(slirp, prev)); + } + + insert: +-- +2.23.0 + -- 1.9.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core