poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch - openbmc/openbmc - Gitiles

 From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001
 From: Changqing Li <changqing.li@windriver.com>
 Date: Mon, 15 Oct 2018 16:38:08 +0800
 Subject: [PATCH] rtl8139: fix possible out of bound access

 In rtl8139_do_receive(), we try to assign size_ to size which converts
 from size_t to integer. This will cause troubles when size_ is greater
 INT_MAX, this will lead a negative value in size and it can then pass
 the check of size < MIN_BUF_SIZE which may lead out of bound access of
 for both buf and buf1.

 Fixing by converting the type of size to size_t.

 CC: address@hidden
 Reported-by: Daniel Shapira <address@hidden>
 Reviewed-by: Michael S. Tsirkin <address@hidden>
 Signed-off-by: Jason Wang <address@hidden>

 Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html]

 CVE: CVE-2018-17962

 Signed-off-by: Changqing Li <changqing.li@windriver.com>
 ---
  hw/net/rtl8139.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
 index 46daa16..2342a09 100644
 --- a/hw/net/rtl8139.c
 +++ b/hw/net/rtl8139.c
 @@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
      RTL8139State *s = qemu_get_nic_opaque(nc);
      PCIDevice *d = PCI_DEVICE(s);
      /* size is the length of the buffer passed to the driver */
 -    int size = size_;
 +    size_t size = size_;
      const uint8_t *dot1q_buf = NULL;

      uint32_t packet_header = 0;
 @@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
      static const uint8_t broadcast_macaddr[6] =
          { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };

 -    DPRINTF(">>> received len=%d\n", size);
 +    DPRINTF(">>> received len=%zu\n", size);

      /* test if board clock is stopped */
      if (!s->clock_enabled)
 @@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t

          if (size+4 > rx_space)
          {
 -            DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
 +            DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
                  descriptor, rx_space, size);

              s->IntrStatus |= RxOverflow;
 @@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t
          if (avail != 0 && RX_ALIGN(size + 8) >= avail)
          {
              DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
 -                "read 0x%04x === available 0x%04x need 0x%04x\n",
 +                "read 0x%04x === available 0x%04x need 0x%04zx\n",
                  s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);

              s->IntrStatus |= RxOverflow;
 --
 2.7.4
	From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001
	From: Changqing Li <changqing.li@windriver.com>
	Date: Mon, 15 Oct 2018 16:38:08 +0800
	Subject: [PATCH] rtl8139: fix possible out of bound access

	In rtl8139_do_receive(), we try to assign size_ to size which converts
	from size_t to integer. This will cause troubles when size_ is greater
	INT_MAX, this will lead a negative value in size and it can then pass
	the check of size < MIN_BUF_SIZE which may lead out of bound access of
	for both buf and buf1.

	Fixing by converting the type of size to size_t.

	CC: address@hidden
	Reported-by: Daniel Shapira <address@hidden>
	Reviewed-by: Michael S. Tsirkin <address@hidden>
	Signed-off-by: Jason Wang <address@hidden>

	Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html]

	CVE: CVE-2018-17962

	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	---
	hw/net/rtl8139.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
	index 46daa16..2342a09 100644
	--- a/hw/net/rtl8139.c
	+++ b/hw/net/rtl8139.c
	@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
	RTL8139State *s = qemu_get_nic_opaque(nc);
	PCIDevice *d = PCI_DEVICE(s);
	/* size is the length of the buffer passed to the driver */
	- int size = size_;
	+ size_t size = size_;
	const uint8_t *dot1q_buf = NULL;

	uint32_t packet_header = 0;
	@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
	static const uint8_t broadcast_macaddr[6] =
	{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };

	- DPRINTF(">>> received len=%d\n", size);
	+ DPRINTF(">>> received len=%zu\n", size);

	/* test if board clock is stopped */
	if (!s->clock_enabled)
	@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t

	if (size+4 > rx_space)
	{
	- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
	+ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
	descriptor, rx_space, size);

	s->IntrStatus \|= RxOverflow;
	@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
	if (avail != 0 && RX_ALIGN(size + 8) >= avail)
	{
	DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
	- "read 0x%04x === available 0x%04x need 0x%04x\n",
	+ "read 0x%04x === available 0x%04x need 0x%04zx\n",
	s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);

	s->IntrStatus \|= RxOverflow;
	--
	2.7.4