diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-04-05 15:28:33 -0400 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-04-05 19:31:28 +0000 |
| commit | 193236933b0f4ab91b1625b64e2187e2db4e0e8f (patch) | |
| tree | e12769d7c76d8b0517d6de3d3c72189753d253ed /poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch | |
| parent | bd93df9478f2f56ffcbc8cb88f1709c735dcd85b (diff) | |
| download | talos-openbmc-193236933b0f4ab91b1625b64e2187e2db4e0e8f.tar.gz talos-openbmc-193236933b0f4ab91b1625b64e2187e2db4e0e8f.zip | |
reset upstream subtrees to HEAD
Reset the following subtrees on HEAD:
poky: 8217b477a1(master)
meta-xilinx: 64aa3d35ae(master)
meta-openembedded: 0435c9e193(master)
meta-raspberrypi: 490a4441ac(master)
meta-security: cb6d1c85ee(master)
Squashed patches:
meta-phosphor: drop systemd 239 patches
meta-phosphor: mrw-api: use correct install path
Change-Id: I268e2646d9174ad305630c6bbd3fbc1a6105f43d
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch')
| -rw-r--r-- | poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch new file mode 100644 index 000000000..7de5882b3 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch @@ -0,0 +1,39 @@ +QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an +out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() +function. A local attacker with permission to execute i2c commands could exploit +this to read stack memory of the qemu process on the host. + +CVE: CVE-2019-3812 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 8 Jan 2019 11:23:01 +0100 +Subject: [PATCH] i2c-ddc: fix oob read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Suggested-by: Michael Hanselmann <public@hansmi.ch> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Michael Hanselmann <public@hansmi.ch> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: 20190108102301.1957-1-kraxel@redhat.com +--- + hw/i2c/i2c-ddc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c +index be34fe072cf..0a0367ff38f 100644 +--- a/hw/i2c/i2c-ddc.c ++++ b/hw/i2c/i2c-ddc.c +@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) + I2CDDCState *s = I2CDDC(i2c); + + int value; +- value = s->edid_blob[s->reg]; ++ value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; + s->reg++; + return value; + } |
