packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

qemu: pick serveral patches from upstream that fix CVE

Browse Source 
Fix CVE-2020-13361, CVE-2020-13659, CVE-2020-13800, CVE-2020-13362

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
This commit is contained in:
zhanghailiang 2020-07-25 13:25:59 +08:00
parent 213ba4bb5a
commit bac79dd0c6
8 changed files with 506 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
ati-vga-check-mm_index-before-recursive-call-CVE-202.patch Normal file
View File

@ -0,0 +1,59 @@
From 89554d2f71d4c79c5d8e804d90d74f3985d7ded5 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 4 Jun 2020 14:38:30 +0530
Subject: [PATCH 3/9] ati-vga: check mm_index before recursive call
(CVE-2020-13800)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Message-id: 20200604090830.33885-1-ppandit@redhat.com
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/ati.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/display/ati.c b/hw/display/ati.c
index a747c4cc98..5943040416 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -261,8 +261,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
if (idx <= s->vga.vram_size - size) {
val = ldn_le_p(s->vga.vram_ptr + idx, size);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
+ } else {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
}
break;
case BIOS_0_SCRATCH ... BUS_CNTL - 1:
@@ -472,8 +475,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
if (idx <= s->vga.vram_size - size) {
stn_le_p(s->vga.vram_ptr + idx, size, data);
}
- } else {
+ } else if (s->regs.mm_index > MM_DATA + 3) {
ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
+ } else {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
}
break;
case BIOS_0_SCRATCH ... BUS_CNTL - 1:
--
2.25.1

60
es1370-check-total-frame-count-against-current-frame.patch Normal file
View File

@ -0,0 +1,60 @@
From 22bbf1a90ac11fe30e1665c09f9ad904683b6ddc Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 15 May 2020 01:36:08 +0530
Subject: [PATCH 1/9] es1370: check total frame count against current frame
A guest user may set channel frame count via es1370_write()
such that, in es1370_transfer_audio(), total frame count
'size' is lesser than the number of frames that are processed
'cnt'.
int cnt = d->frame_cnt >> 16;
int size = d->frame_cnt & 0xffff;
if (size < cnt), it results in incorrect calculations leading
to OOB access issue(s). Add check to avoid it.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20200514200608.1744203-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/audio/es1370.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
index 260c142b70..eff7d03ae1 100644
--- a/hw/audio/es1370.c
+++ b/hw/audio/es1370.c
@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
int csc_bytes = (csc + 1) << d->shift;
int cnt = d->frame_cnt >> 16;
int size = d->frame_cnt & 0xffff;
+ if (size < cnt) {
+ return;
+ }
int left = ((size - cnt + 1) << 2) + d->leftover;
int transferred = 0;
int temp = audio_MIN (max, audio_MIN (left, csc_bytes));
@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
addr += (cnt << 2) + d->leftover;
if (index == ADC_CHANNEL) {
- while (temp) {
+ while (temp > 0) {
int acquired, to_copy;
to_copy = audio_MIN ((size_t) temp, sizeof (tmpbuf));
@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
else {
SWVoiceOut *voice = s->dac_voice[index];
- while (temp) {
+ while (temp > 0) {
int copied, to_copy;
to_copy = audio_MIN ((size_t) temp, sizeof (tmpbuf));
--
2.25.1

54
exec-set-map-length-to-zero-when-returning-NULL.patch Normal file
View File

@ -0,0 +1,54 @@
From a1a9d6f908b21878daa7868313243c30b7a90fcf Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 26 May 2020 16:47:43 +0530
Subject: [PATCH 2/9] exec: set map length to zero when returning NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When mapping physical memory into host's virtual address space,
'address_space_map' may return NULL if BounceBuffer is in_use.
Set and return '*plen = 0' to avoid later NULL pointer dereference.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
exec.c | 1 +
include/exec/memory.h | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/exec.c b/exec.c
index 3e78de3b8f..85c6d80353 100644
--- a/exec.c
+++ b/exec.c
@@ -3739,6 +3739,7 @@ void *address_space_map(AddressSpace *as,
if (!memory_access_is_direct(mr, is_write)) {
if (atomic_xchg(&bounce.in_use, true)) {
rcu_read_unlock();
+ *plen = 0;
return NULL;
}
/* Avoid unbounded allocations */
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 611a89122d..dca8184277 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -2064,7 +2064,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
/* address_space_map: map a physical memory region into a host virtual address
*
* May map a subset of the requested range, given by and returned in @plen.
- * May return %NULL if resources needed to perform the mapping are exhausted.
+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
+ * the mapping are exhausted.
* Use only for reads OR writes - not for read-modify-write operations.
* Use cpu_register_map_client() to know when retrying the map operation is
* likely to succeed.
--
2.25.1

132
hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch Normal file
View File

@ -0,0 +1,132 @@
From 5ec15fabe78e385a81e44c7944cd05309de7f36e Mon Sep 17 00:00:00 2001
From: Thomas Huth <thuth@redhat.com>
Date: Mon, 15 Jun 2020 09:26:29 +0200
Subject: [PATCH 7/9] hw/scsi/megasas: Fix possible out-of-bounds array access
in tracepoints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some tracepoints in megasas.c use a guest-controlled value as an index
into the mfi_frame_desc[] array. Thus a malicious guest could cause an
out-of-bounds error here. Fortunately, the impact is very low since this
can only happen when the corresponding tracepoints have been enabled
before, but the problem should be fixed anyway with a proper check.
Buglink: https://bugs.launchpad.net/qemu/+bug/1882065
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20200615072629.32321-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 36 +++++++++++++++++++++++-------------
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 94469e8169..9421f4d14e 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -53,10 +53,6 @@
#define MEGASAS_FLAG_USE_QUEUE64 1
#define MEGASAS_MASK_USE_QUEUE64 (1 << MEGASAS_FLAG_USE_QUEUE64)
-static const char *mfi_frame_desc[] = {
- "MFI init", "LD Read", "LD Write", "LD SCSI", "PD SCSI",
- "MFI Doorbell", "MFI Abort", "MFI SMP", "MFI Stop"};
-
typedef struct MegasasCmd {
uint32_t index;
uint16_t flags;
@@ -182,6 +178,20 @@ static void megasas_frame_set_scsi_status(MegasasState *s,
stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), v);
}
+static inline const char *mfi_frame_desc(unsigned int cmd)
+{
+ static const char *mfi_frame_descs[] = {
+ "MFI init", "LD Read", "LD Write", "LD SCSI", "PD SCSI",
+ "MFI Doorbell", "MFI Abort", "MFI SMP", "MFI Stop"
+ };
+
+ if (cmd < ARRAY_SIZE(mfi_frame_descs)) {
+ return mfi_frame_descs[cmd];
+ }
+
+ return "Unknown";
+}
+
/*
* Context is considered opaque, but the HBA firmware is running
* in little endian mode. So convert it to little endian, too.
@@ -1669,25 +1679,25 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
if (is_logical) {
if (target_id >= MFI_MAX_LD || lun_id != 0) {
trace_megasas_scsi_target_not_present(
- mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id);
+ mfi_frame_desc(frame_cmd), is_logical, target_id, lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
}
sdev = scsi_device_find(&s->bus, 0, target_id, lun_id);
cmd->iov_size = le32_to_cpu(cmd->frame->header.data_len);
- trace_megasas_handle_scsi(mfi_frame_desc[frame_cmd], is_logical,
+ trace_megasas_handle_scsi(mfi_frame_desc(frame_cmd), is_logical,
target_id, lun_id, sdev, cmd->iov_size);
if (!sdev || (megasas_is_jbod(s) && is_logical)) {
trace_megasas_scsi_target_not_present(
- mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id);
+ mfi_frame_desc(frame_cmd), is_logical, target_id, lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
- mfi_frame_desc[frame_cmd], is_logical,
+ mfi_frame_desc(frame_cmd), is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
@@ -1705,7 +1715,7 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
cmd->req = scsi_req_new(sdev, cmd->index, lun_id, cdb, cmd);
if (!cmd->req) {
trace_megasas_scsi_req_alloc_failed(
- mfi_frame_desc[frame_cmd], target_id, lun_id);
+ mfi_frame_desc(frame_cmd), target_id, lun_id);
megasas_write_sense(cmd, SENSE_CODE(NO_SENSE));
cmd->frame->header.scsi_status = BUSY;
s->event_count++;
@@ -1750,17 +1760,17 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
}
trace_megasas_handle_io(cmd->index,
- mfi_frame_desc[frame_cmd], target_id, lun_id,
+ mfi_frame_desc(frame_cmd), target_id, lun_id,
(unsigned long)lba_start, (unsigned long)lba_count);
if (!sdev) {
trace_megasas_io_target_not_present(cmd->index,
- mfi_frame_desc[frame_cmd], target_id, lun_id);
+ mfi_frame_desc(frame_cmd), target_id, lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
- mfi_frame_desc[frame_cmd], 1, target_id, lun_id, cdb_len);
+ mfi_frame_desc(frame_cmd), 1, target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
@@ -1780,7 +1790,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
lun_id, cdb, cmd);
if (!cmd->req) {
trace_megasas_scsi_req_alloc_failed(
- mfi_frame_desc[frame_cmd], target_id, lun_id);
+ mfi_frame_desc(frame_cmd), target_id, lun_id);
megasas_write_sense(cmd, SENSE_CODE(NO_SENSE));
cmd->frame->header.scsi_status = BUSY;
s->event_count++;
--
2.25.1

36
megasas-avoid-NULL-pointer-dereference.patch Normal file
View File

@ -0,0 +1,36 @@
From cf7f42b21aaa7694c6232a9a5027de9df341f299 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 14 May 2020 00:55:39 +0530
Subject: [PATCH 5/9] megasas: avoid NULL pointer dereference
While in megasas_handle_frame(), megasas_enqueue_frame() may
set a NULL frame into MegasasCmd object for a given 'frame_addr'
address. Add check to avoid a NULL pointer dereference issue.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Acked-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20200513192540.1583887-3-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 7ee331d9da..5923ffbd22 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -503,7 +503,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
cmd->pa = frame;
/* Map all possible frames */
cmd->frame = pci_dma_map(pcid, frame, &frame_size_p, 0);
- if (frame_size_p != frame_size) {
+ if (!cmd->frame || frame_size_p != frame_size) {
trace_megasas_qf_map_failed(cmd->index, (unsigned long)frame);
if (cmd->frame) {
megasas_unmap_frame(s, cmd);
--
2.25.1

97
megasas-use-unsigned-type-for-positive-numeric-field.patch Normal file
View File

@ -0,0 +1,97 @@
From 7bad515189482d289d3efe4133c8af9f184662e4 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 14 May 2020 00:55:40 +0530
Subject: [PATCH 6/9] megasas: use unsigned type for positive numeric fields
Use unsigned type for the MegasasState fields which hold positive
numeric values.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20200513192540.1583887-4-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 5923ffbd22..94469e8169 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -85,34 +85,34 @@ typedef struct MegasasState {
MemoryRegion queue_io;
uint32_t frame_hi;
- int fw_state;
+ uint32_t fw_state;
uint32_t fw_sge;
uint32_t fw_cmds;
uint32_t flags;
- int fw_luns;
- int intr_mask;
- int doorbell;
- int busy;
- int diag;
- int adp_reset;
+ uint32_t fw_luns;
+ uint32_t intr_mask;
+ uint32_t doorbell;
+ uint32_t busy;
+ uint32_t diag;
+ uint32_t adp_reset;
OnOffAuto msi;
OnOffAuto msix;
MegasasCmd *event_cmd;
- int event_locale;
+ uint16_t event_locale;
int event_class;
- int event_count;
- int shutdown_event;
- int boot_event;
+ uint32_t event_count;
+ uint32_t shutdown_event;
+ uint32_t boot_event;
uint64_t sas_addr;
char *hba_serial;
uint64_t reply_queue_pa;
void *reply_queue;
- int reply_queue_len;
+ uint16_t reply_queue_len;
uint16_t reply_queue_head;
- int reply_queue_tail;
+ uint16_t reply_queue_tail;
uint64_t consumer_pa;
uint64_t producer_pa;
@@ -2258,9 +2258,9 @@ static const VMStateDescription vmstate_megasas_gen1 = {
VMSTATE_PCI_DEVICE(parent_obj, MegasasState),
VMSTATE_MSIX(parent_obj, MegasasState),
- VMSTATE_INT32(fw_state, MegasasState),
- VMSTATE_INT32(intr_mask, MegasasState),
- VMSTATE_INT32(doorbell, MegasasState),
+ VMSTATE_UINT32(fw_state, MegasasState),
+ VMSTATE_UINT32(intr_mask, MegasasState),
+ VMSTATE_UINT32(doorbell, MegasasState),
VMSTATE_UINT64(reply_queue_pa, MegasasState),
VMSTATE_UINT64(consumer_pa, MegasasState),
VMSTATE_UINT64(producer_pa, MegasasState),
@@ -2277,9 +2277,9 @@ static const VMStateDescription vmstate_megasas_gen2 = {
VMSTATE_PCI_DEVICE(parent_obj, MegasasState),
VMSTATE_MSIX(parent_obj, MegasasState),
- VMSTATE_INT32(fw_state, MegasasState),
- VMSTATE_INT32(intr_mask, MegasasState),
- VMSTATE_INT32(doorbell, MegasasState),
+ VMSTATE_UINT32(fw_state, MegasasState),
+ VMSTATE_UINT32(intr_mask, MegasasState),
+ VMSTATE_UINT32(doorbell, MegasasState),
VMSTATE_UINT64(reply_queue_pa, MegasasState),
VMSTATE_UINT64(consumer_pa, MegasasState),
VMSTATE_UINT64(producer_pa, MegasasState),
--
2.25.1

51
megasas-use-unsigned-type-for-reply_queue_head-and-c.patch Normal file
View File

@ -0,0 +1,51 @@
From e081fb1058e357d4d7adc30201013a46123fe2ae Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 14 May 2020 00:55:38 +0530
Subject: [PATCH 4/9] megasas: use unsigned type for reply_queue_head and check
index
A guest user may set 'reply_queue_head' field of MegasasState to
a negative value. Later in 'megasas_lookup_frame' it is used to
index into s->frames[] array. Use unsigned type to avoid OOB
access issue.
Also check that 'index' value stays within s->frames[] bounds
through the while() loop in 'megasas_lookup_frame' to avoid OOB
access.
Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Acked-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200513192540.1583887-2-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 0c4399930a..7ee331d9da 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -111,7 +111,7 @@ typedef struct MegasasState {
uint64_t reply_queue_pa;
void *reply_queue;
int reply_queue_len;
- int reply_queue_head;
+ uint16_t reply_queue_head;
int reply_queue_tail;
uint64_t consumer_pa;
uint64_t producer_pa;
@@ -444,7 +444,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s,
index = s->reply_queue_head;
- while (num < s->fw_cmds) {
+ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) {
if (s->frames[index].pa && s->frames[index].pa == frame) {
cmd = &s->frames[index];
break;
--
2.25.1

18
qemu.spec
View File

@ -1,6 +1,6 @@
Name: qemu
Version: 4.1.0
Release: 15
Release: 16
Epoch: 2
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY
@ -176,6 +176,13 @@ Patch0163: vtimer-Drop-vtimer-virtual-timer-adjust.patch
Patch0164: target-arm-Add-the-kvm_adjvtime-vcpu-property-for-Co.patch
Patch0165: target-arm-Fix-PAuth-sbox-functions.patch
Patch0166: tests-Disalbe-filemonitor-testcase.patch
Patch0167: es1370-check-total-frame-count-against-current-frame.patch
Patch0168: exec-set-map-length-to-zero-when-returning-NULL.patch
Patch0169: ati-vga-check-mm_index-before-recursive-call-CVE-202.patch
Patch0170: megasas-use-unsigned-type-for-reply_queue_head-and-c.patch
Patch0171: megasas-avoid-NULL-pointer-dereference.patch
Patch0172: megasas-use-unsigned-type-for-positive-numeric-field.patch
Patch0173: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch
BuildRequires: flex
BuildRequires: bison
@ -521,6 +528,15 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Thu Aug 6 2020 Huawei Technologies Co., Ltd <zhang.zhanghailiang@huawei.com>
- es1370: check total frame count against current frame
- exec: set map length to zero when returning NULL
- ati-vga: check mm_index before recursive call (CVE-2020-13800)
- megasas: use unsigned type for reply_queue_head and check index
- megasas: avoid NULL pointer dereference
- megasas: use unsigned type for positive numeric fields
- hw/scsi/megasas: Fix possible out-of-bounds array access in tracepoints
* Thu Aug 6 2020 Huawei Technologies Co., Ltd <fangying1@huawei.com>
- tests: Disalbe filemonitor testcase