Re: [OE-core] [PATCH] qemu: Security Advisory - qemu - CVE-2019-15890
On Wed, 2019-09-11 at 15:51 +0800, zhou li wrote:
> On 2019/09/11 15:38, Mittal, Anuj wrote:
> > On Wed, 2019-09-11 at 14:02 +0800, Li Zhou wrote:
> > > Backporting patch from
> > > https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943
> > > to solve CVE-2019-15890.
> > >
> > > Signed-off-by: Li Zhou
> > > ---
> > > meta/recipes-devtools/qemu/qemu.inc| 1 +
> > > .../qemu/qemu/CVE-2019-15890.patch | 48
> > > ++
> > > 2 files changed, 49 insertions(+)
> > > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-
> > > 15890.patch
> > >
> > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> > > devtools/qemu/qemu.inc
> > > index 241f9db..de21d30 100644
> > > --- a/meta/recipes-devtools/qemu/qemu.inc
> > > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > > @@ -23,6 +23,7 @@ SRC_URI = "
> > > https://download.qemu.org/${BPN}-${PV}.tar.xz \
> > > file://0008-linux-user-Fix-webkitgtk-hangs-on-32-
> > > bit-x86-
> > > target.patch \
> > > file://0009-Fix-webkitgtk-builds.patch \
> > > file://0010-configure-Add-pkg-config-handling-for-
> > > libgcrypt.patch \
> > > + file://CVE-2019-15890.patch \
> > > "
> > > UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
> > >
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
> > > new file mode 100644
> > > index 000..1d89431
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
> > > @@ -0,0 +1,48 @@
> > > +From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17
> > > 00:00:00
> > > 2001
> > > +From: Li Zhou
> > Can you please fix the author name here?
>
> Do you mean it should be the original author?
>
> Here is my name because I have adapted sth (the file path) in the
> patch.
>
Yes, it should still reflect the name of original author here.
> Should I change it back by hand here?
>
git commit --amend --author "name "
should help.
Thanks,
Anuj
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] qemu: Security Advisory - qemu - CVE-2019-15890
On 2019/09/11 15:38, Mittal, Anuj wrote:
On Wed, 2019-09-11 at 14:02 +0800, Li Zhou wrote:
Backporting patch from
https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943
to solve CVE-2019-15890.
Signed-off-by: Li Zhou
---
meta/recipes-devtools/qemu/qemu.inc| 1 +
.../qemu/qemu/CVE-2019-15890.patch | 48
++
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-
15890.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
devtools/qemu/qemu.inc
index 241f9db..de21d30 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -23,6 +23,7 @@ SRC_URI = "
https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-
target.patch \
file://0009-Fix-webkitgtk-builds.patch \
file://0010-configure-Add-pkg-config-handling-for-
libgcrypt.patch \
+ file://CVE-2019-15890.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
new file mode 100644
index 000..1d89431
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
@@ -0,0 +1,48 @@
+From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00
2001
+From: Li Zhou
Can you please fix the author name here?
Do you mean it should be the original author?
Here is my name because I have adapted sth (the file path) in the patch.
Should I change it back by hand here?
Thanks.
Thanks,
Anuj
--
Best Regards!
Zhou Li
Phone number: 86-10-84778511
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] qemu: Security Advisory - qemu - CVE-2019-15890
On Wed, 2019-09-11 at 14:02 +0800, Li Zhou wrote:
> Backporting patch from
> https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943
> to solve CVE-2019-15890.
>
> Signed-off-by: Li Zhou
> ---
> meta/recipes-devtools/qemu/qemu.inc| 1 +
> .../qemu/qemu/CVE-2019-15890.patch | 48
> ++
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-
> 15890.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> devtools/qemu/qemu.inc
> index 241f9db..de21d30 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -23,6 +23,7 @@ SRC_URI = "
> https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-
> target.patch \
> file://0009-Fix-webkitgtk-builds.patch \
> file://0010-configure-Add-pkg-config-handling-for-
> libgcrypt.patch \
> + file://CVE-2019-15890.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
> new file mode 100644
> index 000..1d89431
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
> @@ -0,0 +1,48 @@
> +From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00
> 2001
> +From: Li Zhou
Can you please fix the author name here?
Thanks,
Anuj
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] qemu: Security Advisory - qemu - CVE-2019-15890
Backporting patch from
https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943
to solve CVE-2019-15890.
Signed-off-by: Li Zhou
---
meta/recipes-devtools/qemu/qemu.inc| 1 +
.../qemu/qemu/CVE-2019-15890.patch | 48 ++
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index 241f9db..de21d30 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -23,6 +23,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
file://0009-Fix-webkitgtk-builds.patch \
file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
+ file://CVE-2019-15890.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
new file mode 100644
index 000..1d89431
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch
@@ -0,0 +1,48 @@
+From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00 2001
+From: Li Zhou
+Date: Tue, 10 Sep 2019 20:02:15 -0700
+Subject: [PATCH] ip_reass: Fix use after free
+
+Using ip_deq after m_free might read pointers from an allocation reuse.
+
+This would be difficult to exploit, but that is still related with
+CVE-2019-14378 which generates fragmented IP packets that would trigger this
+issue and at least produce a DoS.
+
+Signed-off-by: Samuel Thibault
+
+Upstream-Status: Backport
+CVE: CVE-2019-15890
+Signed-off-by: Li Zhou
+---
+ slirp/src/ip_input.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
+index 8c75d914..c07d7d40 100644
+--- a/slirp/src/ip_input.c
b/slirp/src/ip_input.c
+@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip,
struct ipq *fp)
+ */
+ while (q != (struct ipasfrag *)>frag_link &&
+ip->ip_off + ip->ip_len > q->ipf_off) {
++struct ipasfrag *prev;
+ i = (ip->ip_off + ip->ip_len) - q->ipf_off;
+ if (i < q->ipf_len) {
+ q->ipf_len -= i;
+@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip,
struct ipq *fp)
+ m_adj(dtom(slirp, q), i);
+ break;
+ }
++prev = q;
+ q = q->ipf_next;
+-m_free(dtom(slirp, q->ipf_prev));
+-ip_deq(q->ipf_prev);
++ip_deq(prev);
++m_free(dtom(slirp, prev));
+ }
+
+ insert:
+--
+2.23.0
+
--
1.9.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
