gnu: qemu: Add fix for CVE-2015-3209.
* gnu/packages/patches/qemu-CVE-2015-3209.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/qemu.scm (qemu): Add patch.master
parent
e51943f886
commit
3dbb0e5f8b
|
@ -527,6 +527,7 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \
|
||||
gnu/packages/patches/python2-sqlite-3.8.4-test-fix.patch \
|
||||
gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-3209.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-3456.patch \
|
||||
gnu/packages/patches/qt4-ldflags.patch \
|
||||
gnu/packages/patches/qt4-tests.patch \
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Sun, 24 May 2015 10:53:44 +0200
|
||||
Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
|
||||
|
||||
4096 is the maximum length per TMD and it is also currently the size of
|
||||
the relay buffer pcnet driver uses for sending the packet data to QEMU
|
||||
for further processing. With packet spanning multiple TMDs it can
|
||||
happen that the overall packet size will be bigger than sizeof(buffer),
|
||||
which results in memory corruption.
|
||||
|
||||
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
|
||||
|
||||
This is CVE-2015-3209.
|
||||
|
||||
[Fixed 3-space indentation to QEMU's 4-space coding standard.
|
||||
--Stefan]
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reported-by: Matt Tait <matttait@google.com>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
---
|
||||
hw/net/pcnet.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index bdfd38f..68b9981 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
|
||||
}
|
||||
|
||||
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||
+
|
||||
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
|
||||
+ Note: this is not what real hw does */
|
||||
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
|
||||
+ s->xmit_pos = -1;
|
||||
+ goto txdone;
|
||||
+ }
|
||||
+
|
||||
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
||||
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
||||
s->xmit_pos += bcnt;
|
||||
--
|
||||
2.2.1
|
||||
|
|
@ -52,7 +52,8 @@
|
|||
(sha256
|
||||
(base32
|
||||
"120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"))
|
||||
(patches (list (search-patch "qemu-CVE-2015-3456.patch")))))
|
||||
(patches (map search-patch '("qemu-CVE-2015-3209.patch"
|
||||
"qemu-CVE-2015-3456.patch")))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
'(#:phases (alist-replace
|
||||
|
|
Reference in New Issue