diff options
author | Mark H Weaver <mhw@netris.org> | 2015-06-10 15:11:48 -0400 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2015-06-10 15:42:16 -0400 |
commit | 3dbb0e5f8b9e8445818ca31861488666b948ce50 (patch) | |
tree | fc2c818648077e3222918efcfcc16d4bc44c6671 /gnu/packages | |
parent | e51943f886dd65dd9cd8c1f16e67d5775ffc08bd (diff) |
gnu: qemu: Add fix for CVE-2015-3209.
* gnu/packages/patches/qemu-CVE-2015-3209.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/qemu.scm (qemu): Add patch.
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2015-3209.patch | 49 | ||||
-rw-r--r-- | gnu/packages/qemu.scm | 3 |
2 files changed, 51 insertions, 1 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2015-3209.patch b/gnu/packages/patches/qemu-CVE-2015-3209.patch new file mode 100644 index 0000000000..0bb726698c --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-3209.patch @@ -0,0 +1,49 @@ +From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Sun, 24 May 2015 10:53:44 +0200 +Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx + +4096 is the maximum length per TMD and it is also currently the size of +the relay buffer pcnet driver uses for sending the packet data to QEMU +for further processing. With packet spanning multiple TMDs it can +happen that the overall packet size will be bigger than sizeof(buffer), +which results in memory corruption. + +Fix this by only allowing to queue maximum sizeof(buffer) bytes. + +This is CVE-2015-3209. + +[Fixed 3-space indentation to QEMU's 4-space coding standard. +--Stefan] + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reported-by: Matt Tait <matttait@google.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/net/pcnet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index bdfd38f..68b9981 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; +-- +2.2.1 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 717310209e..27a2d2e8ba 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -52,7 +52,8 @@ (sha256 (base32 "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn")) - (patches (list (search-patch "qemu-CVE-2015-3456.patch"))))) + (patches (map search-patch '("qemu-CVE-2015-3209.patch" + "qemu-CVE-2015-3456.patch"))))) (build-system gnu-build-system) (arguments '(#:phases (alist-replace |