[hardknott,1/8] qemu: fix CVE-2021-3592

Message ID 20220114180320.3526-1-sakib.sajal@windriver.com
State New
Headers show
Series [hardknott,1/8] qemu: fix CVE-2021-3592 | expand

Commit Message

Sakib Sajal Jan. 14, 2022, 6:03 p.m. UTC
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |   3 +
 .../qemu/qemu/CVE-2021-3592_1.patch           |  58 ++++++
 .../qemu/qemu/CVE-2021-3592_2.patch           | 165 ++++++++++++++++++
 .../qemu/qemu/CVE-2021-3592_3.patch           |  40 +++++
 4 files changed, 266 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch

Comments

Sakib Sajal Jan. 14, 2022, 6:10 p.m. UTC | #1
Please disregard, sorry for the barrage of incomplete patch set.

On 2022-01-14 1:03 p.m., Sakib Sajal wrote:
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
>   meta/recipes-devtools/qemu/qemu.inc           |  1 +
>   .../qemu/qemu/CVE-2021-3594.patch             | 40 +++++++++++++++++++
>   2 files changed, 41 insertions(+)
>   create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 811bdff426..4198d3a52c 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
>              file://CVE-2021-3593.patch \
>              file://CVE-2021-3595_1.patch \
>              file://CVE-2021-3595_2.patch \
> +           file://CVE-2021-3594.patch \
>              "
>   UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>   
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
> new file mode 100644
> index 0000000000..c99ba7a7cc
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
> @@ -0,0 +1,40 @@
> +From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
> +Date: Fri, 4 Jun 2021 16:40:23 +0400
> +Subject: [PATCH 07/12] udp: check upd_input buffer size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Fixes: CVE-2021-3594
> +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
> +
> +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +
> +Upstream-Status: Backport [74572be49247c8c5feae7c6e0b50c4f569ca9824]
> +CVE: CVE-2021-3594
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + slirp/src/udp.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/slirp/src/udp.c b/slirp/src/udp.c
> +index 0ad44d7c0..18b4acdfa 100644
> +--- a/slirp/src/udp.c
> ++++ b/slirp/src/udp.c
> +@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen)
> +     /*
> +      * Get IP and UDP header together in first mbuf.
> +      */
> +-    ip = mtod(m, struct ip *);
> ++    ip = mtod_check(m, iphlen + sizeof(struct udphdr));
> ++    if (ip == NULL) {
> ++        goto bad;
> ++    }
> +     uh = (struct udphdr *)((char *)ip + iphlen);
> +
> +     /*
> +--
> +2.31.1
> +
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160576): https://lists.openembedded.org/g/openembedded-core/message/160576
> Mute This Topic: https://lists.openembedded.org/mt/88426915/4422444
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Sakib Sajal Jan. 14, 2022, 6:10 p.m. UTC | #2
Please disregard, sorry for the barrage of incomplete patch set.

On 2022-01-14 1:03 p.m., Sakib Sajal wrote:
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
>   meta/recipes-devtools/qemu/qemu.inc           |  1 +
>   .../qemu/qemu/CVE-2021-3593.patch             | 40 +++++++++++++++++++
>   2 files changed, 41 insertions(+)
>   create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 6c00bf274b..6b544a4344 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -73,6 +73,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
>              file://CVE-2021-3592_1.patch \
>              file://CVE-2021-3592_2.patch \
>              file://CVE-2021-3592_3.patch \
> +           file://CVE-2021-3593.patch \
>              "
>   UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>   
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> new file mode 100644
> index 0000000000..dd14c240a8
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> @@ -0,0 +1,40 @@
> +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
> +Date: Fri, 4 Jun 2021 16:32:55 +0400
> +Subject: [PATCH 04/12] upd6: check udp6_input buffer size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Fixes: CVE-2021-3593
> +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
> +
> +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +
> +Upstream-Status: Backport [de71c15de66ba9350bf62c45b05f8fbff166517b]
> +CVE: CVE-2021-3593
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + slirp/src/udp6.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
> +index 6f9486bbc..8c490e4d1 100644
> +--- a/slirp/src/udp6.c
> ++++ b/slirp/src/udp6.c
> +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
> +     ip = mtod(m, struct ip6 *);
> +     m->m_len -= iphlen;
> +     m->m_data += iphlen;
> +-    uh = mtod(m, struct udphdr *);
> ++    uh = mtod_check(m, sizeof(struct udphdr));
> ++    if (uh == NULL) {
> ++        goto bad;
> ++    }
> +     m->m_len += iphlen;
> +     m->m_data -= iphlen;
> +
> +--
> +2.31.1
> +
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160575): https://lists.openembedded.org/g/openembedded-core/message/160575
> Mute This Topic: https://lists.openembedded.org/mt/88426914/4422444
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Anuj Mittal Jan. 15, 2022, 2:55 a.m. UTC | #3
On Fri, 2022-01-14 at 13:10 -0500, Sakib Sajal wrote:
> Please disregard, sorry for the barrage of incomplete patch set.

Do you also have a branch on contrib that I can pull these patches
from?

Thanks,

Anuj

> On 2022-01-14 1:03 p.m., Sakib Sajal wrote:
>  
> > Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> > ---
> >  meta/recipes-devtools/qemu/qemu.inc           |  1 +
> >  .../qemu/qemu/CVE-2021-3593.patch             | 40
> > +++++++++++++++++++
> >  2 files changed, 41 insertions(+)
> >  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> > 3593.patch
> > 
> > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> > devtools/qemu/qemu.inc
> > index 6c00bf274b..6b544a4344 100644
> > --- a/meta/recipes-devtools/qemu/qemu.inc
> > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > @@ -73,6 +73,7 @@ SRC_URI =
> > "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> >             file://CVE-2021-3592_1.patch \
> >             file://CVE-2021-3592_2.patch \
> >             file://CVE-2021-3592_3.patch \
> > +           file://CVE-2021-3593.patch \
> >             "
> >  UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
> >  
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> > new file mode 100644
> > index 0000000000..dd14c240a8
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> > @@ -0,0 +1,40 @@
> > +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00
> > 2001
> > +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?=
> > <marcandre.lureau@redhat.com>
> > +Date: Fri, 4 Jun 2021 16:32:55 +0400
> > +Subject: [PATCH 04/12] upd6: check udp6_input buffer size
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +Fixes: CVE-2021-3593
> > +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
> > +
> > +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > +
> > +Upstream-Status: Backport
> > [de71c15de66ba9350bf62c45b05f8fbff166517b]
> > +CVE: CVE-2021-3593
> > +
> > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> > +---
> > + slirp/src/udp6.c | 5 ++++-
> > + 1 file changed, 4 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
> > +index 6f9486bbc..8c490e4d1 100644
> > +--- a/slirp/src/udp6.c
> > ++++ b/slirp/src/udp6.c
> > +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
> > +     ip = mtod(m, struct ip6 *);
> > +     m->m_len -= iphlen;
> > +     m->m_data += iphlen;
> > +-    uh = mtod(m, struct udphdr *);
> > ++    uh = mtod_check(m, sizeof(struct udphdr));
> > ++    if (uh == NULL) {
> > ++        goto bad;
> > ++    }
> > +     m->m_len += iphlen;
> > +     m->m_data -= iphlen;
> > + 
> > +-- 
> > +2.31.1
> > +
> >  
> >  
> > 
> > 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160583):
> https://lists.openembedded.org/g/openembedded-core/message/160583
> Mute This Topic: https://lists.openembedded.org/mt/88427080/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 463339e42b..6c00bf274b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -70,6 +70,9 @@  SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2021-3607.patch \
            file://CVE-2021-3608.patch \
            file://CVE-2021-3682.patch \
+           file://CVE-2021-3592_1.patch \
+           file://CVE-2021-3592_2.patch \
+           file://CVE-2021-3592_3.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
new file mode 100644
index 0000000000..e374959594
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
@@ -0,0 +1,58 @@ 
+From 0123c625aed2ed0679fa8c084104699d918c1da6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 15:58:25 +0400
+Subject: [PATCH 01/12] Add mtod_check()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recent security issues demonstrate the lack of safety care when casting
+a mbuf to a particular structure type. At least, it should check that
+the buffer is large enough. The following patches will make use of this
+function.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [93e645e72a056ec0b2c16e0299fc5c6b94e4ca17]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/mbuf.c | 11 +++++++++++
+ slirp/src/mbuf.h |  1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
+index 54ec721eb..cb2e97108 100644
+--- a/slirp/src/mbuf.c
++++ b/slirp/src/mbuf.c
+@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
+ 
+     return (struct mbuf *)0;
+ }
++
++void *mtod_check(struct mbuf *m, size_t len)
++{
++    if (m->m_len >= len) {
++        return m->m_data;
++    }
++
++    DEBUG_ERROR("mtod failed");
++
++    return NULL;
++}
+diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
+index 546e7852c..2015e3232 100644
+--- a/slirp/src/mbuf.h
++++ b/slirp/src/mbuf.h
+@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
+ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
++void *mtod_check(struct mbuf *, size_t len);
+ 
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+-- 
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
new file mode 100644
index 0000000000..799a95417e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
@@ -0,0 +1,165 @@ 
+From fc2a4797f55016e78f2cde4806b05368fa5b7a97 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 19:25:28 +0400
+Subject: [PATCH 02/12] bootp: limit vendor-specific area to input packet
+ memory buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
+from the structure, to help with the following patch checking for
+minimal header size. Modify the bootp_reply() function to take the
+buffer boundaries and avoiding potential buffer overflow.
+
+Related to CVE-2021-3592.
+
+https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [f13cad45b25d92760bb0ad67bec0300a4d7d5275]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/bootp.c | 26 +++++++++++++++-----------
+ slirp/src/bootp.h |  2 +-
+ slirp/src/mbuf.c  |  5 +++++
+ slirp/src/mbuf.h  |  1 +
+ 4 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
+index 46e96810a..e0db8d196 100644
+--- a/slirp/src/bootp.c
++++ b/slirp/src/bootp.c
+@@ -92,21 +92,22 @@ found:
+     return bc;
+ }
+ 
+-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
++static void dhcp_decode(const struct bootp_t *bp,
++                        const uint8_t *bp_end,
++                        int *pmsg_type,
+                         struct in_addr *preq_addr)
+ {
+-    const uint8_t *p, *p_end;
++    const uint8_t *p;
+     int len, tag;
+ 
+     *pmsg_type = 0;
+     preq_addr->s_addr = htonl(0L);
+ 
+     p = bp->bp_vend;
+-    p_end = p + DHCP_OPT_LEN;
+     if (memcmp(p, rfc1533_cookie, 4) != 0)
+         return;
+     p += 4;
+-    while (p < p_end) {
++    while (p < bp_end) {
+         tag = p[0];
+         if (tag == RFC1533_PAD) {
+             p++;
+@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+             break;
+         } else {
+             p++;
+-            if (p >= p_end)
++            if (p >= bp_end)
+                 break;
+             len = *p++;
+-            if (p + len > p_end) {
++            if (p + len > bp_end) {
+                 break;
+             }
+             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+     }
+ }
+ 
+-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
++static void bootp_reply(Slirp *slirp,
++                        const struct bootp_t *bp,
++                        const uint8_t *bp_end)
+ {
+     BOOTPClient *bc = NULL;
+     struct mbuf *m;
+@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+     uint8_t client_ethaddr[ETH_ALEN];
+ 
+     /* extract exact DHCP msg type */
+-    dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
++    dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
+     DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
+     if (preq_addr.s_addr != htonl(0L))
+         DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
+@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+         return;
+     }
+     m->m_data += IF_MAXLINKHDR;
++    m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+     rbp = (struct bootp_t *)m->m_data;
+     m->m_data += sizeof(struct udpiphdr);
+-    memset(rbp, 0, sizeof(struct bootp_t));
++    memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+ 
+     if (dhcp_msg_type == DHCPDISCOVER) {
+         if (preq_addr.s_addr != htonl(0L)) {
+@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+     rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
+ 
+     q = rbp->bp_vend;
+-    end = (uint8_t *)&rbp[1];
++    end = rbp->bp_vend + DHCP_OPT_LEN;
+     memcpy(q, rfc1533_cookie, 4);
+     q += 4;
+ 
+@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
+     struct bootp_t *bp = mtod(m, struct bootp_t *);
+ 
+     if (bp->bp_op == BOOTP_REQUEST) {
+-        bootp_reply(m->slirp, bp);
++        bootp_reply(m->slirp, bp, m_end(m));
+     }
+ }
+diff --git a/slirp/src/bootp.h b/slirp/src/bootp.h
+index a57fa51bc..31ce5fd33 100644
+--- a/slirp/src/bootp.h
++++ b/slirp/src/bootp.h
+@@ -114,7 +114,7 @@ struct bootp_t {
+     uint8_t bp_hwaddr[16];
+     uint8_t bp_sname[64];
+     char bp_file[128];
+-    uint8_t bp_vend[DHCP_OPT_LEN];
++    uint8_t bp_vend[];
+ };
+ 
+ typedef struct {
+diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
+index cb2e97108..0c1a530f1 100644
+--- a/slirp/src/mbuf.c
++++ b/slirp/src/mbuf.c
+@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
+ 
+     return NULL;
+ }
++
++void *m_end(struct mbuf *m)
++{
++    return m->m_data + m->m_len;
++}
+diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
+index 2015e3232..a9752a36e 100644
+--- a/slirp/src/mbuf.h
++++ b/slirp/src/mbuf.h
+@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
+ void *mtod_check(struct mbuf *, size_t len);
++void *m_end(struct mbuf *);
+ 
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+-- 
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch
new file mode 100644
index 0000000000..f07a0faeb7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch
@@ -0,0 +1,40 @@ 
+From d175694c607273b6c8f09717de9c455891d6765d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:15:14 +0400
+Subject: [PATCH 03/12] bootp: check bootp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3592
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [2eca0838eee1da96204545e22cdaed860d9d7c6c]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/bootp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
+index e0db8d196..cafa1eb1f 100644
+--- a/slirp/src/bootp.c
++++ b/slirp/src/bootp.c
+@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
+ 
+ void bootp_input(struct mbuf *m)
+ {
+-    struct bootp_t *bp = mtod(m, struct bootp_t *);
++    struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
+ 
+-    if (bp->bp_op == BOOTP_REQUEST) {
++    if (bp && bp->bp_op == BOOTP_REQUEST) {
+         bootp_reply(m->slirp, bp, m_end(m));
+     }
+ }
+-- 
+2.31.1
+