| Message ID | 20220114180320.3526-1-sakib.sajal@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [hardknott,1/8] qemu: fix CVE-2021-3592 | expand |
Please disregard, sorry for the barrage of incomplete patch set. On 2022-01-14 1:03 p.m., Sakib Sajal wrote: > Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 1 + > .../qemu/qemu/CVE-2021-3594.patch | 40 +++++++++++++++++++ > 2 files changed, 41 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc > index 811bdff426..4198d3a52c 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2021-3593.patch \ > file://CVE-2021-3595_1.patch \ > file://CVE-2021-3595_2.patch \ > + file://CVE-2021-3594.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch > new file mode 100644 > index 0000000000..c99ba7a7cc > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch > @@ -0,0 +1,40 @@ > +From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com> > +Date: Fri, 4 Jun 2021 16:40:23 +0400 > +Subject: [PATCH 07/12] udp: check upd_input buffer size > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Fixes: CVE-2021-3594 > +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 > + > +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> > + > +Upstream-Status: Backport [74572be49247c8c5feae7c6e0b50c4f569ca9824] > +CVE: CVE-2021-3594 > + > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + slirp/src/udp.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/slirp/src/udp.c b/slirp/src/udp.c > +index 0ad44d7c0..18b4acdfa 100644 > +--- a/slirp/src/udp.c > ++++ b/slirp/src/udp.c > +@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen) > + /* > + * Get IP and UDP header together in first mbuf. > + */ > +- ip = mtod(m, struct ip *); > ++ ip = mtod_check(m, iphlen + sizeof(struct udphdr)); > ++ if (ip == NULL) { > ++ goto bad; > ++ } > + uh = (struct udphdr *)((char *)ip + iphlen); > + > + /* > +-- > +2.31.1 > + > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160576): https://lists.openembedded.org/g/openembedded-core/message/160576 > Mute This Topic: https://lists.openembedded.org/mt/88426915/4422444 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Please disregard, sorry for the barrage of incomplete patch set. On 2022-01-14 1:03 p.m., Sakib Sajal wrote: > Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 1 + > .../qemu/qemu/CVE-2021-3593.patch | 40 +++++++++++++++++++ > 2 files changed, 41 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc > index 6c00bf274b..6b544a4344 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -73,6 +73,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2021-3592_1.patch \ > file://CVE-2021-3592_2.patch \ > file://CVE-2021-3592_3.patch \ > + file://CVE-2021-3593.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch > new file mode 100644 > index 0000000000..dd14c240a8 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch > @@ -0,0 +1,40 @@ > +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com> > +Date: Fri, 4 Jun 2021 16:32:55 +0400 > +Subject: [PATCH 04/12] upd6: check udp6_input buffer size > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Fixes: CVE-2021-3593 > +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 > + > +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> > + > +Upstream-Status: Backport [de71c15de66ba9350bf62c45b05f8fbff166517b] > +CVE: CVE-2021-3593 > + > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + slirp/src/udp6.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c > +index 6f9486bbc..8c490e4d1 100644 > +--- a/slirp/src/udp6.c > ++++ b/slirp/src/udp6.c > +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m) > + ip = mtod(m, struct ip6 *); > + m->m_len -= iphlen; > + m->m_data += iphlen; > +- uh = mtod(m, struct udphdr *); > ++ uh = mtod_check(m, sizeof(struct udphdr)); > ++ if (uh == NULL) { > ++ goto bad; > ++ } > + m->m_len += iphlen; > + m->m_data -= iphlen; > + > +-- > +2.31.1 > + > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160575): https://lists.openembedded.org/g/openembedded-core/message/160575 > Mute This Topic: https://lists.openembedded.org/mt/88426914/4422444 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Fri, 2022-01-14 at 13:10 -0500, Sakib Sajal wrote: > Please disregard, sorry for the barrage of incomplete patch set. Do you also have a branch on contrib that I can pull these patches from? Thanks, Anuj > On 2022-01-14 1:03 p.m., Sakib Sajal wrote: > > > Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > > --- > > meta/recipes-devtools/qemu/qemu.inc | 1 + > > .../qemu/qemu/CVE-2021-3593.patch | 40 > > +++++++++++++++++++ > > 2 files changed, 41 insertions(+) > > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021- > > 3593.patch > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes- > > devtools/qemu/qemu.inc > > index 6c00bf274b..6b544a4344 100644 > > --- a/meta/recipes-devtools/qemu/qemu.inc > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > @@ -73,6 +73,7 @@ SRC_URI = > > "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > > file://CVE-2021-3592_1.patch \ > > file://CVE-2021-3592_2.patch \ > > file://CVE-2021-3592_3.patch \ > > + file://CVE-2021-3593.patch \ > > " > > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch > > new file mode 100644 > > index 0000000000..dd14c240a8 > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch > > @@ -0,0 +1,40 @@ > > +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 > > 2001 > > +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= > > <marcandre.lureau@redhat.com> > > +Date: Fri, 4 Jun 2021 16:32:55 +0400 > > +Subject: [PATCH 04/12] upd6: check udp6_input buffer size > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=UTF-8 > > +Content-Transfer-Encoding: 8bit > > + > > +Fixes: CVE-2021-3593 > > +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 > > + > > +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> > > + > > +Upstream-Status: Backport > > [de71c15de66ba9350bf62c45b05f8fbff166517b] > > +CVE: CVE-2021-3593 > > + > > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > > +--- > > + slirp/src/udp6.c | 5 ++++- > > + 1 file changed, 4 insertions(+), 1 deletion(-) > > + > > +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c > > +index 6f9486bbc..8c490e4d1 100644 > > +--- a/slirp/src/udp6.c > > ++++ b/slirp/src/udp6.c > > +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m) > > + ip = mtod(m, struct ip6 *); > > + m->m_len -= iphlen; > > + m->m_data += iphlen; > > +- uh = mtod(m, struct udphdr *); > > ++ uh = mtod_check(m, sizeof(struct udphdr)); > > ++ if (uh == NULL) { > > ++ goto bad; > > ++ } > > + m->m_len += iphlen; > > + m->m_data -= iphlen; > > + > > +-- > > +2.31.1 > > + > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160583): > https://lists.openembedded.org/g/openembedded-core/message/160583 > Mute This Topic: https://lists.openembedded.org/mt/88427080/3616702 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-core/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 463339e42b..6c00bf274b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -70,6 +70,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3607.patch \ file://CVE-2021-3608.patch \ file://CVE-2021-3682.patch \ + file://CVE-2021-3592_1.patch \ + file://CVE-2021-3592_2.patch \ + file://CVE-2021-3592_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch new file mode 100644 index 0000000000..e374959594 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch @@ -0,0 +1,58 @@ +From 0123c625aed2ed0679fa8c084104699d918c1da6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com> +Date: Fri, 4 Jun 2021 15:58:25 +0400 +Subject: [PATCH 01/12] Add mtod_check() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recent security issues demonstrate the lack of safety care when casting +a mbuf to a particular structure type. At least, it should check that +the buffer is large enough. The following patches will make use of this +function. + +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> + +Upstream-Status: Backport [93e645e72a056ec0b2c16e0299fc5c6b94e4ca17] +CVE: CVE-2021-3592 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + slirp/src/mbuf.c | 11 +++++++++++ + slirp/src/mbuf.h | 1 + + 2 files changed, 12 insertions(+) + +diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c +index 54ec721eb..cb2e97108 100644 +--- a/slirp/src/mbuf.c ++++ b/slirp/src/mbuf.c +@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat) + + return (struct mbuf *)0; + } ++ ++void *mtod_check(struct mbuf *m, size_t len) ++{ ++ if (m->m_len >= len) { ++ return m->m_data; ++ } ++ ++ DEBUG_ERROR("mtod failed"); ++ ++ return NULL; ++} +diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h +index 546e7852c..2015e3232 100644 +--- a/slirp/src/mbuf.h ++++ b/slirp/src/mbuf.h +@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); + void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); ++void *mtod_check(struct mbuf *, size_t len); + + static inline void ifs_init(struct mbuf *ifm) + { +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch new file mode 100644 index 0000000000..799a95417e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch @@ -0,0 +1,165 @@ +From fc2a4797f55016e78f2cde4806b05368fa5b7a97 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com> +Date: Fri, 4 Jun 2021 19:25:28 +0400 +Subject: [PATCH 02/12] bootp: limit vendor-specific area to input packet + memory buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field +from the structure, to help with the following patch checking for +minimal header size. Modify the bootp_reply() function to take the +buffer boundaries and avoiding potential buffer overflow. + +Related to CVE-2021-3592. + +https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> + +Upstream-Status: Backport [f13cad45b25d92760bb0ad67bec0300a4d7d5275] +CVE: CVE-2021-3592 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + slirp/src/bootp.c | 26 +++++++++++++++----------- + slirp/src/bootp.h | 2 +- + slirp/src/mbuf.c | 5 +++++ + slirp/src/mbuf.h | 1 + + 4 files changed, 22 insertions(+), 12 deletions(-) + +diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c +index 46e96810a..e0db8d196 100644 +--- a/slirp/src/bootp.c ++++ b/slirp/src/bootp.c +@@ -92,21 +92,22 @@ found: + return bc; + } + +-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, ++static void dhcp_decode(const struct bootp_t *bp, ++ const uint8_t *bp_end, ++ int *pmsg_type, + struct in_addr *preq_addr) + { +- const uint8_t *p, *p_end; ++ const uint8_t *p; + int len, tag; + + *pmsg_type = 0; + preq_addr->s_addr = htonl(0L); + + p = bp->bp_vend; +- p_end = p + DHCP_OPT_LEN; + if (memcmp(p, rfc1533_cookie, 4) != 0) + return; + p += 4; +- while (p < p_end) { ++ while (p < bp_end) { + tag = p[0]; + if (tag == RFC1533_PAD) { + p++; +@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + break; + } else { + p++; +- if (p >= p_end) ++ if (p >= bp_end) + break; + len = *p++; +- if (p + len > p_end) { ++ if (p + len > bp_end) { + break; + } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); +@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + } + } + +-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) ++static void bootp_reply(Slirp *slirp, ++ const struct bootp_t *bp, ++ const uint8_t *bp_end) + { + BOOTPClient *bc = NULL; + struct mbuf *m; +@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + uint8_t client_ethaddr[ETH_ALEN]; + + /* extract exact DHCP msg type */ +- dhcp_decode(bp, &dhcp_msg_type, &preq_addr); ++ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr); + DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type); + if (preq_addr.s_addr != htonl(0L)) + DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr)); +@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + return; + } + m->m_data += IF_MAXLINKHDR; ++ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN); + rbp = (struct bootp_t *)m->m_data; + m->m_data += sizeof(struct udpiphdr); +- memset(rbp, 0, sizeof(struct bootp_t)); ++ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN); + + if (dhcp_msg_type == DHCPDISCOVER) { + if (preq_addr.s_addr != htonl(0L)) { +@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */ + + q = rbp->bp_vend; +- end = (uint8_t *)&rbp[1]; ++ end = rbp->bp_vend + DHCP_OPT_LEN; + memcpy(q, rfc1533_cookie, 4); + q += 4; + +@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m) + struct bootp_t *bp = mtod(m, struct bootp_t *); + + if (bp->bp_op == BOOTP_REQUEST) { +- bootp_reply(m->slirp, bp); ++ bootp_reply(m->slirp, bp, m_end(m)); + } + } +diff --git a/slirp/src/bootp.h b/slirp/src/bootp.h +index a57fa51bc..31ce5fd33 100644 +--- a/slirp/src/bootp.h ++++ b/slirp/src/bootp.h +@@ -114,7 +114,7 @@ struct bootp_t { + uint8_t bp_hwaddr[16]; + uint8_t bp_sname[64]; + char bp_file[128]; +- uint8_t bp_vend[DHCP_OPT_LEN]; ++ uint8_t bp_vend[]; + }; + + typedef struct { +diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c +index cb2e97108..0c1a530f1 100644 +--- a/slirp/src/mbuf.c ++++ b/slirp/src/mbuf.c +@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len) + + return NULL; + } ++ ++void *m_end(struct mbuf *m) ++{ ++ return m->m_data + m->m_len; ++} +diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h +index 2015e3232..a9752a36e 100644 +--- a/slirp/src/mbuf.h ++++ b/slirp/src/mbuf.h +@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); + void *mtod_check(struct mbuf *, size_t len); ++void *m_end(struct mbuf *); + + static inline void ifs_init(struct mbuf *ifm) + { +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch new file mode 100644 index 0000000000..f07a0faeb7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch @@ -0,0 +1,40 @@ +From d175694c607273b6c8f09717de9c455891d6765d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com> +Date: Fri, 4 Jun 2021 16:15:14 +0400 +Subject: [PATCH 03/12] bootp: check bootp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3592 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> + +Upstream-Status: Backport [2eca0838eee1da96204545e22cdaed860d9d7c6c] +CVE: CVE-2021-3592 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + slirp/src/bootp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c +index e0db8d196..cafa1eb1f 100644 +--- a/slirp/src/bootp.c ++++ b/slirp/src/bootp.c +@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp, + + void bootp_input(struct mbuf *m) + { +- struct bootp_t *bp = mtod(m, struct bootp_t *); ++ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t)); + +- if (bp->bp_op == BOOTP_REQUEST) { ++ if (bp && bp->bp_op == BOOTP_REQUEST) { + bootp_reply(m->slirp, bp, m_end(m)); + } + } +-- +2.31.1 +
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3592_1.patch | 58 ++++++ .../qemu/qemu/CVE-2021-3592_2.patch | 165 ++++++++++++++++++ .../qemu/qemu/CVE-2021-3592_3.patch | 40 +++++ 4 files changed, 266 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch