@@ -70,6 +70,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3607.patch \
file://CVE-2021-3608.patch \
file://CVE-2021-3682.patch \
+ file://CVE-2021-3592_1.patch \
+ file://CVE-2021-3592_2.patch \
+ file://CVE-2021-3592_3.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
new file mode 100644
@@ -0,0 +1,58 @@
+From 0123c625aed2ed0679fa8c084104699d918c1da6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 15:58:25 +0400
+Subject: [PATCH 01/12] Add mtod_check()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recent security issues demonstrate the lack of safety care when casting
+a mbuf to a particular structure type. At least, it should check that
+the buffer is large enough. The following patches will make use of this
+function.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [93e645e72a056ec0b2c16e0299fc5c6b94e4ca17]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/mbuf.c | 11 +++++++++++
+ slirp/src/mbuf.h | 1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
+index 54ec721eb..cb2e97108 100644
+--- a/slirp/src/mbuf.c
++++ b/slirp/src/mbuf.c
+@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
+
+ return (struct mbuf *)0;
+ }
++
++void *mtod_check(struct mbuf *m, size_t len)
++{
++ if (m->m_len >= len) {
++ return m->m_data;
++ }
++
++ DEBUG_ERROR("mtod failed");
++
++ return NULL;
++}
+diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
+index 546e7852c..2015e3232 100644
+--- a/slirp/src/mbuf.h
++++ b/slirp/src/mbuf.h
+@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
+ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
++void *mtod_check(struct mbuf *, size_t len);
+
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+--
+2.31.1
+
new file mode 100644
@@ -0,0 +1,165 @@
+From fc2a4797f55016e78f2cde4806b05368fa5b7a97 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 19:25:28 +0400
+Subject: [PATCH 02/12] bootp: limit vendor-specific area to input packet
+ memory buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
+from the structure, to help with the following patch checking for
+minimal header size. Modify the bootp_reply() function to take the
+buffer boundaries and avoiding potential buffer overflow.
+
+Related to CVE-2021-3592.
+
+https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [f13cad45b25d92760bb0ad67bec0300a4d7d5275]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/bootp.c | 26 +++++++++++++++-----------
+ slirp/src/bootp.h | 2 +-
+ slirp/src/mbuf.c | 5 +++++
+ slirp/src/mbuf.h | 1 +
+ 4 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
+index 46e96810a..e0db8d196 100644
+--- a/slirp/src/bootp.c
++++ b/slirp/src/bootp.c
+@@ -92,21 +92,22 @@ found:
+ return bc;
+ }
+
+-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
++static void dhcp_decode(const struct bootp_t *bp,
++ const uint8_t *bp_end,
++ int *pmsg_type,
+ struct in_addr *preq_addr)
+ {
+- const uint8_t *p, *p_end;
++ const uint8_t *p;
+ int len, tag;
+
+ *pmsg_type = 0;
+ preq_addr->s_addr = htonl(0L);
+
+ p = bp->bp_vend;
+- p_end = p + DHCP_OPT_LEN;
+ if (memcmp(p, rfc1533_cookie, 4) != 0)
+ return;
+ p += 4;
+- while (p < p_end) {
++ while (p < bp_end) {
+ tag = p[0];
+ if (tag == RFC1533_PAD) {
+ p++;
+@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+ break;
+ } else {
+ p++;
+- if (p >= p_end)
++ if (p >= bp_end)
+ break;
+ len = *p++;
+- if (p + len > p_end) {
++ if (p + len > bp_end) {
+ break;
+ }
+ DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+ }
+ }
+
+-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
++static void bootp_reply(Slirp *slirp,
++ const struct bootp_t *bp,
++ const uint8_t *bp_end)
+ {
+ BOOTPClient *bc = NULL;
+ struct mbuf *m;
+@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ uint8_t client_ethaddr[ETH_ALEN];
+
+ /* extract exact DHCP msg type */
+- dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
++ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
+ DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
+ if (preq_addr.s_addr != htonl(0L))
+ DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
+@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ return;
+ }
+ m->m_data += IF_MAXLINKHDR;
++ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+ rbp = (struct bootp_t *)m->m_data;
+ m->m_data += sizeof(struct udpiphdr);
+- memset(rbp, 0, sizeof(struct bootp_t));
++ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+
+ if (dhcp_msg_type == DHCPDISCOVER) {
+ if (preq_addr.s_addr != htonl(0L)) {
+@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
+
+ q = rbp->bp_vend;
+- end = (uint8_t *)&rbp[1];
++ end = rbp->bp_vend + DHCP_OPT_LEN;
+ memcpy(q, rfc1533_cookie, 4);
+ q += 4;
+
+@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
+ struct bootp_t *bp = mtod(m, struct bootp_t *);
+
+ if (bp->bp_op == BOOTP_REQUEST) {
+- bootp_reply(m->slirp, bp);
++ bootp_reply(m->slirp, bp, m_end(m));
+ }
+ }
+diff --git a/slirp/src/bootp.h b/slirp/src/bootp.h
+index a57fa51bc..31ce5fd33 100644
+--- a/slirp/src/bootp.h
++++ b/slirp/src/bootp.h
+@@ -114,7 +114,7 @@ struct bootp_t {
+ uint8_t bp_hwaddr[16];
+ uint8_t bp_sname[64];
+ char bp_file[128];
+- uint8_t bp_vend[DHCP_OPT_LEN];
++ uint8_t bp_vend[];
+ };
+
+ typedef struct {
+diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
+index cb2e97108..0c1a530f1 100644
+--- a/slirp/src/mbuf.c
++++ b/slirp/src/mbuf.c
+@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
+
+ return NULL;
+ }
++
++void *m_end(struct mbuf *m)
++{
++ return m->m_data + m->m_len;
++}
+diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
+index 2015e3232..a9752a36e 100644
+--- a/slirp/src/mbuf.h
++++ b/slirp/src/mbuf.h
+@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
+ void *mtod_check(struct mbuf *, size_t len);
++void *m_end(struct mbuf *);
+
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+--
+2.31.1
+
new file mode 100644
@@ -0,0 +1,40 @@
+From d175694c607273b6c8f09717de9c455891d6765d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:15:14 +0400
+Subject: [PATCH 03/12] bootp: check bootp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3592
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [2eca0838eee1da96204545e22cdaed860d9d7c6c]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/bootp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
+index e0db8d196..cafa1eb1f 100644
+--- a/slirp/src/bootp.c
++++ b/slirp/src/bootp.c
+@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
+
+ void bootp_input(struct mbuf *m)
+ {
+- struct bootp_t *bp = mtod(m, struct bootp_t *);
++ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
+
+- if (bp->bp_op == BOOTP_REQUEST) {
++ if (bp && bp->bp_op == BOOTP_REQUEST) {
+ bootp_reply(m->slirp, bp, m_end(m));
+ }
+ }
+--
+2.31.1
+
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3592_1.patch | 58 ++++++ .../qemu/qemu/CVE-2021-3592_2.patch | 165 ++++++++++++++++++ .../qemu/qemu/CVE-2021-3592_3.patch | 40 +++++ 4 files changed, 266 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch