2 lat temu · 8dc68c2a80
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,6 +29,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
 
				            file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \
			
 
				            file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \
			
 
				            file://arm-cpreg-fix.patch \
			
 
				+           file://CVE-2022-3165.patch \
			
 
				            "
			
 
				 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
			
 
				 
			
--- a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
@@ -0,0 +1,59 @@
 
				+CVE: CVE-2022-3165
			
 
				+Upstream-Status: Backport
			
 
				+Signed-off-by: Ross Burton <ross.burton@arm.com>
			
 
				+
			
 
				+From d307040b18bfcb1393b910f1bae753d5c12a4dc7 Mon Sep 17 00:00:00 2001
			
 
				+From: Mauro Matteo Cascella <mcascell@redhat.com>
			
 
				+Date: Sun, 25 Sep 2022 22:45:11 +0200
			
 
				+Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
			
 
				+ vnc_client_cut_text_ext
			
 
				+
			
 
				+Extended ClientCutText messages start with a 4-byte header. If len < 4,
			
 
				+an integer underflow occurs in vnc_client_cut_text_ext. The result is
			
 
				+used to decompress data in a while loop in inflate_buffer, leading to
			
 
				+CPU consumption and denial of service. Prevent this by checking dlen in
			
 
				+protocol_client_msg.
			
 
				+
			
 
				+Fixes: CVE-2022-3165
			
 
				+Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
			
 
				+Reported-by: TangPeng <tangpeng@qianxin.com>
			
 
				+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
			
 
				+Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
			
 
				+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
			
 
				+---
			
 
				+ ui/vnc.c | 11 ++++++++---
			
 
				+ 1 file changed, 8 insertions(+), 3 deletions(-)
			
 
				+
			
 
				+diff --git a/ui/vnc.c b/ui/vnc.c
			
 
				+index 6a05d06147..acb3629cd8 100644
			
 
				+--- a/ui/vnc.c
			
 
				++++ b/ui/vnc.c
			
 
				+@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
			
 
				+         if (len == 1) {
			
 
				+             return 8;
			
 
				+         }
			
 
				++        uint32_t dlen = abs(read_s32(data, 4));
			
 
				+         if (len == 8) {
			
 
				+-            uint32_t dlen = abs(read_s32(data, 4));
			
 
				+             if (dlen > (1 << 20)) {
			
 
				+                 error_report("vnc: client_cut_text msg payload has %u bytes"
			
 
				+                              " which exceeds our limit of 1MB.", dlen);
			
 
				+@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
			
 
				+         }
			
 
				+ 
			
 
				+         if (read_s32(data, 4) < 0) {
			
 
				+-            vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
			
 
				+-                                    read_u32(data, 8), data + 12);
			
 
				++            if (dlen < 4) {
			
 
				++                error_report("vnc: malformed payload (header less than 4 bytes)"
			
 
				++                             " in extended clipboard pseudo-encoding.");
			
 
				++                vnc_client_error(vs);
			
 
				++                break;
			
 
				++            }
			
 
				++            vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
			
 
				+             break;
			
 
				+         }
			
 
				+         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
			
 
				+-- 
			
 
				+GitLab
			
 
				+