poky/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch - openbmc/openbmc - Gitiles

 From 141b197408ab398c4f474ac1a728ab316e921f2b Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Wed, 13 Jun 2018 11:46:57 +0530
 Subject: [PATCH] qga: check bytes count read by guest-file-read

 While reading file content via 'guest-file-read' command,
 'qmp_guest_file_read' routine allocates buffer of count+1
 bytes. It could overflow for large values of 'count'.
 Add check to avoid it.

 Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

 CVE: CVE-2018-12617
 Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=141b197408ab398c4f474ac1a728ab316e921f2b]

 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
 ---
  qga/commands-posix.c | 2 +-
  qga/commands-win32.c | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)

 diff --git a/qga/commands-posix.c b/qga/commands-posix.c
 index 594d21ef3e..9284e71666 100644
 --- a/qga/commands-posix.c
 +++ b/qga/commands-posix.c
 @@ -458,7 +458,7 @@ struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,

      if (!has_count) {
          count = QGA_READ_COUNT_DEFAULT;
 -    } else if (count < 0) {
 +    } else if (count < 0 || count >= UINT32_MAX) {
          error_setg(errp, "value '%" PRId64 "' is invalid for argument count",
                     count);
          return NULL;
 diff --git a/qga/commands-win32.c b/qga/commands-win32.c
 index 70ee5379f6..73f31fa8c2 100644
 --- a/qga/commands-win32.c
 +++ b/qga/commands-win32.c
 @@ -318,7 +318,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
      }
      if (!has_count) {
          count = QGA_READ_COUNT_DEFAULT;
 -    } else if (count < 0) {
 +    } else if (count < 0 || count >= UINT32_MAX) {
          error_setg(errp, "value '%" PRId64
                     "' is invalid for argument count", count);
          return NULL;
 --
 2.13.3
	From 141b197408ab398c4f474ac1a728ab316e921f2b Mon Sep 17 00:00:00 2001
	From: Prasad J Pandit <pjp@fedoraproject.org>
	Date: Wed, 13 Jun 2018 11:46:57 +0530
	Subject: [PATCH] qga: check bytes count read by guest-file-read

	While reading file content via 'guest-file-read' command,
	'qmp_guest_file_read' routine allocates buffer of count+1
	bytes. It could overflow for large values of 'count'.
	Add check to avoid it.

	Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com>
	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	Cc: qemu-stable@nongnu.org
	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

	CVE: CVE-2018-12617
	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=141b197408ab398c4f474ac1a728ab316e921f2b]

	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
	---
	qga/commands-posix.c \| 2 +-
	qga/commands-win32.c \| 2 +-
	2 files changed, 2 insertions(+), 2 deletions(-)

	diff --git a/qga/commands-posix.c b/qga/commands-posix.c
	index 594d21ef3e..9284e71666 100644
	--- a/qga/commands-posix.c
	+++ b/qga/commands-posix.c
	@@ -458,7 +458,7 @@ struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,

	if (!has_count) {
	count = QGA_READ_COUNT_DEFAULT;
	- } else if (count < 0) {
	+ } else if (count < 0 \|\| count >= UINT32_MAX) {
	error_setg(errp, "value '%" PRId64 "' is invalid for argument count",
	count);
	return NULL;
	diff --git a/qga/commands-win32.c b/qga/commands-win32.c
	index 70ee5379f6..73f31fa8c2 100644
	--- a/qga/commands-win32.c
	+++ b/qga/commands-win32.c
	@@ -318,7 +318,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
	}
	if (!has_count) {
	count = QGA_READ_COUNT_DEFAULT;
	- } else if (count < 0) {
	+ } else if (count < 0 \|\| count >= UINT32_MAX) {
	error_setg(errp, "value '%" PRId64
	"' is invalid for argument count", count);
	return NULL;
	--
	2.13.3