gnu: qemu: Fix CVE-2017-{13711,14167}.

* gnu/packages/patches/qemu-CVE-2017-14167.patch gnu/packages/patches/qemu-CVE-2017-13711.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them.
2017-09-07 14:44:45 -04:00 · 2017-09-07 14:44:45 -04:00 · 6a7bd25bf2
commit 6a7bd25bf2
parent 94d671f673
4 changed files with 162 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -978,6 +978,8 @@ dist_patch_DATA =						\
  %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
  %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch	\
  %D%/packages/patches/python2-subprocess32-disable-input-test.patch	\
  %D%/packages/patches/qemu-CVE-2017-13711.patch		\
  %D%/packages/patches/qemu-CVE-2017-14167.patch		\
  %D%/packages/patches/qt4-ldflags.patch			\
  %D%/packages/patches/qtscript-disable-tests.patch		\
  %D%/packages/patches/quagga-reproducible-build.patch          \
--- a/gnu/packages/patches/qemu-CVE-2017-13711.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-13711.patch
@ -0,0 +1,89 @@
 Fix CVE-2017-13711:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711
 Patch copied from upstream source repository:
 https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1201d308519f1e915866d7583d5136d03cc1d384
 From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001
 From: Samuel Thibault <samuel.thibault@ens-lyon.org>
 Date: Fri, 25 Aug 2017 01:35:53 +0200
 Subject: [PATCH] slirp: fix clearing ifq_so from pending packets
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The if_fastq and if_batchq contain not only packets, but queues of packets
 for the same socket. When sofree frees a socket, it thus has to clear ifq_so
 from all the packets from the queues, not only the first.
 Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
 slirp/socket.c | 39 +++++++++++++++++++++++----------------
 1 file changed, 23 insertions(+), 16 deletions(-)
 diff --git a/slirp/socket.c b/slirp/socket.c
 index ecec0295a9..cb7b5b608d 100644
 --- a/slirp/socket.c
 +++ b/slirp/socket.c
@@ -59,6 +59,27 @@ socreate(Slirp *slirp)
   return(so);
 }
 +/*
 + * Remove references to so from the given message queue.
 + */
 +static void
 +soqfree(struct socket *so, struct quehead *qh)
 +{
 +    struct mbuf *ifq;
 +
 +    for (ifq = (struct mbuf *) qh->qh_link;
 +             (struct quehead *) ifq != qh;
 +             ifq = ifq->ifq_next) {
 +        if (ifq->ifq_so == so) {
 +            struct mbuf *ifm;
 +            ifq->ifq_so = NULL;
 +            for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) {
 +                ifm->ifq_so = NULL;
 +            }
 +        }
 +    }
 +}
 +
 /*
  * remque and free a socket, clobber cache
  */
@@ -66,23 +87,9 @@ void
 sofree(struct socket *so)
 {
   Slirp *slirp = so->slirp;
 -  struct mbuf *ifm;
 -  for (ifm = (struct mbuf *) slirp->if_fastq.qh_link;
 -       (struct quehead *) ifm != &slirp->if_fastq;
 -       ifm = ifm->ifq_next) {
 -    if (ifm->ifq_so == so) {
 -      ifm->ifq_so = NULL;
 -    }
 -  }
 -
 -  for (ifm = (struct mbuf *) slirp->if_batchq.qh_link;
 -       (struct quehead *) ifm != &slirp->if_batchq;
 -       ifm = ifm->ifq_next) {
 -    if (ifm->ifq_so == so) {
 -      ifm->ifq_so = NULL;
 -    }
 -  }
 +  soqfree(so, &slirp->if_fastq);
 +  soqfree(so, &slirp->if_batchq);
   if (so->so_emu==EMU_RSH && so->extra) {
 	sofree(so->extra);
 -- 
 2.14.1
--- a/gnu/packages/patches/qemu-CVE-2017-14167.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-14167.patch
@ -0,0 +1,69 @@
 Fix CVE-2017-14167:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167
 http://seclists.org/oss-sec/2017/q3/407
 Patch copied from upstream development mailing list:
 https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html
 From: Prasad J Pandit <address@hidden>
 While loading kernel via multiboot-v1 image, (flags & 0x00010000)
 indicates that multiboot header contains valid addresses to load
 the kernel image. These addresses are used to compute kernel
 size and kernel text offset in the OS image. Validate these
 address values to avoid an OOB access issue.
 This is CVE-2017-14167.
 Reported-by: Thomas Garnier <address@hidden>
 Signed-off-by: Prasad J Pandit <address@hidden>
 ---
 hw/i386/multiboot.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 Update: add CVE-ID to the commit message.
 diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
 index 6001f4caa2..c7b70c91d5 100644
 --- a/hw/i386/multiboot.c
 +++ b/hw/i386/multiboot.c
@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
         uint32_t mh_header_addr = ldl_p(header+i+12);
         uint32_t mh_load_end_addr = ldl_p(header+i+20);
         uint32_t mh_bss_end_addr = ldl_p(header+i+24);
 +
         mh_load_addr = ldl_p(header+i+16);
 +        if (mh_header_addr < mh_load_addr) {
 +            fprintf(stderr, "invalid mh_load_addr address\n");
 +            exit(1);
 +        }
 +
         uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
         uint32_t mb_load_size = 0;
         mh_entry_addr = ldl_p(header+i+28);
         if (mh_load_end_addr) {
 +            if (mh_bss_end_addr < mh_load_addr) {
 +                fprintf(stderr, "invalid mh_bss_end_addr address\n");
 +                exit(1);
 +            }
             mb_kernel_size = mh_bss_end_addr - mh_load_addr;
 +
 +            if (mh_load_end_addr < mh_load_addr) {
 +                fprintf(stderr, "invalid mh_load_end_addr address\n");
 +                exit(1);
 +            }
             mb_load_size = mh_load_end_addr - mh_load_addr;
         } else {
 +            if (kernel_file_size < mb_kernel_text_offset) {
 +                fprintf(stderr, "invalid kernel_file_size\n");
 +                exit(1);
 +            }
             mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
             mb_load_size = mb_kernel_size;
         }
 -- 
 2.13.5
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@ -77,6 +77,8 @@
             (method url-fetch)
             (uri (string-append "https://download.qemu.org/qemu-"
                                 version ".tar.xz"))
             (patches (search-patches "qemu-CVE-2017-13711.patch"
                                      "qemu-CVE-2017-14167.patch"))
             (sha256
              (base32
               "0dgk7zcni41nf1jp84y0m6dk2nb4frnh571m8hkiv0m4hz4imn2m"))))