osdep: Fix ROUND_UP(64-bit, 32-bit) When using bit-wise operations that exploit the power-of-two nature of the second argument of ROUND_UP(), we still need to ensure that the mask is as wide as the first argument (done by using a ternary to force proper arithmetic promotion). Unpatched, ROUND_UP(2ULL*1024*1024*1024*1024, 512U) produces 0, instead of the intended 2TiB, because negation of an unsigned 32-bit quantity followed by widening to 64-bits does not sign-extend the mask.
Broken since its introduction in commit 292c8e50 (v1.5.0). Callers that passed the same width type to both macro parameters, or that had other code to ensure the first parameter's maximum runtime value did not exceed the second parameter's width, are unaffected, but I did not audit to see which (if any) existing clients of the macro could trigger incorrect behavior (I found the bug while adding a new use of the macro). While preparing the patch, checkpatch complained about poor spacing, so I also fixed that here and in the nearby DIV_ROUND_UP. Affects qemu < v2.11.0 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> --- .../qemu/qemu/CVE-2017-18043.patch | 63 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.10.0.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2017-18043.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-18043.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-18043.patch new file mode 100644 index 0000000..955a24c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-18043.patch @@ -0,0 +1,63 @@ +From 2098b073f398cd628c09c5a78537a6854e85830d Mon Sep 17 00:00:00 2001 +From: Eric Blake <ebl...@redhat.com> +Date: Thu, 14 Sep 2017 08:49:23 -0500 +Subject: [PATCH] osdep: Fix ROUND_UP(64-bit, 32-bit) + +When using bit-wise operations that exploit the power-of-two +nature of the second argument of ROUND_UP(), we still need to +ensure that the mask is as wide as the first argument (done +by using a ternary to force proper arithmetic promotion). +Unpatched, ROUND_UP(2ULL*1024*1024*1024*1024, 512U) produces 0, +instead of the intended 2TiB, because negation of an unsigned +32-bit quantity followed by widening to 64-bits does not +sign-extend the mask. + +Broken since its introduction in commit 292c8e50 (v1.5.0). +Callers that passed the same width type to both macro parameters, +or that had other code to ensure the first parameter's maximum +runtime value did not exceed the second parameter's width, are +unaffected, but I did not audit to see which (if any) existing +clients of the macro could trigger incorrect behavior (I found +the bug while adding a new use of the macro). + +While preparing the patch, checkpatch complained about poor +spacing, so I also fixed that here and in the nearby DIV_ROUND_UP. + +CVE: CVE-2017-18043 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2098b073f398cd628c09c5a78537a6854] + +CC: qemu-triv...@nongnu.org +CC: qemu-sta...@nongnu.org +Signed-off-by: Eric Blake <ebl...@redhat.com> +Reviewed-by: Laszlo Ersek <ler...@redhat.com> +Reviewed-by: Richard Henderson <richard.hender...@linaro.org> +Signed-off-by: Michael Tokarev <m...@tls.msk.ru> +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> +--- + include/qemu/osdep.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h +index 72b75bf044..9dd318a7dd 100644 +--- a/include/qemu/osdep.h ++++ b/include/qemu/osdep.h +@@ -205,13 +205,13 @@ extern int daemon(int, int); + + /* Round number up to multiple. Requires that d be a power of 2 (see + * QEMU_ALIGN_UP for a safer but slower version on arbitrary +- * numbers) */ ++ * numbers); works even if d is a smaller type than n. */ + #ifndef ROUND_UP +-#define ROUND_UP(n,d) (((n) + (d) - 1) & -(d)) ++#define ROUND_UP(n, d) (((n) + (d) - 1) & -(0 ? (n) : (d))) + #endif + + #ifndef DIV_ROUND_UP +-#define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d)) ++#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) + #endif + + /* +-- +2.13.3 + diff --git a/meta/recipes-devtools/qemu/qemu_2.10.0.bb b/meta/recipes-devtools/qemu/qemu_2.10.0.bb index a3cfb7c..48b8675 100644 --- a/meta/recipes-devtools/qemu/qemu_2.10.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.10.0.bb @@ -32,6 +32,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \ file://memfd.patch \ file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \ file://CVE-2017-15119.patch \ + file://CVE-2017-18043.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar" -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
