diff options
Diffstat (limited to 'poky/meta/recipes-devtools/qemu')
5 files changed, 143 insertions, 3 deletions
diff --git a/poky/meta/recipes-devtools/qemu/qemu-system-native_6.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu-system-native_6.2.0.bb index bc5384d472..5ccede5095 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-system-native_6.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-system-native_6.2.0.bb @@ -11,7 +11,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native me EXTRA_OECONF:append = " --target-list=${@get_qemu_system_target_list(d)}" -PACKAGECONFIG ??= "fdt alsa kvm pie \ +PACKAGECONFIG ??= "fdt alsa kvm pie slirp \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer epoxy', '', d)} \ " diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 4e94c4b2bf..63f0569d06 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -33,6 +33,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch \ file://0002-virtio-net-fix-map-leaking-on-error-during-receive.patch \ file://pvrdma.patch \ + file://CVE-2021-4206.patch \ + file://CVE-2021-4207.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" @@ -196,6 +198,12 @@ PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs" PACKAGECONFIG[pmem] = "--enable-libpmem,--disable-libpmem,pmdk" PACKAGECONFIG[pulsedio] = "--enable-pa,--disable-pa,pulseaudio" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" +PACKAGECONFIG[bpf] = "--enable-bpf,--disable-bpf,libbpf" +PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone" +PACKAGECONFIG[rdma] = "--enable-rdma,--disable-rdma" +PACKAGECONFIG[vde] = "--enable-vde,--disable-vde" +PACKAGECONFIG[slirp] = "--enable-slirp=internal,--disable-slirp" +PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi" INSANE_SKIP:${PN} = "arch" diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..05f9c8f790 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch @@ -0,0 +1,89 @@ +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +https://git.qemu.org/?p=qemu.git;a=commit;h=fa892e9abb728e76afcf27323ab29c57fb0fe7aa + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed29..ca21700 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 98c8347..45d06cb 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd..835f080 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch new file mode 100644 index 0000000000..38f36abd9e --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch @@ -0,0 +1,43 @@ +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor + (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +https://git.qemu.org/?p=qemu.git;a=commit;h=9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b..237ed29 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu_6.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu_6.2.0.bb index 9f7fad9886..42e133967e 100644 --- a/poky/meta/recipes-devtools/qemu/qemu_6.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu_6.2.0.bb @@ -15,12 +15,12 @@ EXTRA_OECONF:append:class-target:mipsarcho32 = "${@bb.utils.contains('BBEXTENDCU EXTRA_OECONF:append:class-nativesdk = " --target-list=${@get_qemu_target_list(d)}" PACKAGECONFIG ??= " \ - fdt sdl kvm pie \ + fdt sdl kvm pie slirp \ ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer epoxy', '', d)} \ ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ " -PACKAGECONFIG:class-nativesdk ??= "fdt sdl kvm pie \ +PACKAGECONFIG:class-nativesdk ??= "fdt sdl kvm pie slirp \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer epoxy', '', d)} \ " # ppc32 hosts are no longer supported in qemu |