mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 05:18:07 -05:00
gnu: qemu: Add fix for CVE-2015-3209.
* gnu/packages/patches/qemu-CVE-2015-3209.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/qemu.scm (qemu): Add patch.
This commit is contained in:
parent
e51943f886
commit
3dbb0e5f8b
3 changed files with 52 additions and 1 deletions
|
@ -527,6 +527,7 @@ dist_patch_DATA = \
|
||||||
gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \
|
gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \
|
||||||
gnu/packages/patches/python2-sqlite-3.8.4-test-fix.patch \
|
gnu/packages/patches/python2-sqlite-3.8.4-test-fix.patch \
|
||||||
gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
||||||
|
gnu/packages/patches/qemu-CVE-2015-3209.patch \
|
||||||
gnu/packages/patches/qemu-CVE-2015-3456.patch \
|
gnu/packages/patches/qemu-CVE-2015-3456.patch \
|
||||||
gnu/packages/patches/qt4-ldflags.patch \
|
gnu/packages/patches/qt4-ldflags.patch \
|
||||||
gnu/packages/patches/qt4-tests.patch \
|
gnu/packages/patches/qt4-tests.patch \
|
||||||
|
|
49
gnu/packages/patches/qemu-CVE-2015-3209.patch
Normal file
49
gnu/packages/patches/qemu-CVE-2015-3209.patch
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Matousek <pmatouse@redhat.com>
|
||||||
|
Date: Sun, 24 May 2015 10:53:44 +0200
|
||||||
|
Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
|
||||||
|
|
||||||
|
4096 is the maximum length per TMD and it is also currently the size of
|
||||||
|
the relay buffer pcnet driver uses for sending the packet data to QEMU
|
||||||
|
for further processing. With packet spanning multiple TMDs it can
|
||||||
|
happen that the overall packet size will be bigger than sizeof(buffer),
|
||||||
|
which results in memory corruption.
|
||||||
|
|
||||||
|
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
|
||||||
|
|
||||||
|
This is CVE-2015-3209.
|
||||||
|
|
||||||
|
[Fixed 3-space indentation to QEMU's 4-space coding standard.
|
||||||
|
--Stefan]
|
||||||
|
|
||||||
|
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||||
|
Reported-by: Matt Tait <matttait@google.com>
|
||||||
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||||
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
---
|
||||||
|
hw/net/pcnet.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||||
|
index bdfd38f..68b9981 100644
|
||||||
|
--- a/hw/net/pcnet.c
|
||||||
|
+++ b/hw/net/pcnet.c
|
||||||
|
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
|
||||||
|
}
|
||||||
|
|
||||||
|
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||||
|
+
|
||||||
|
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
|
||||||
|
+ Note: this is not what real hw does */
|
||||||
|
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
|
||||||
|
+ s->xmit_pos = -1;
|
||||||
|
+ goto txdone;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
||||||
|
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
||||||
|
s->xmit_pos += bcnt;
|
||||||
|
--
|
||||||
|
2.2.1
|
||||||
|
|
|
@ -52,7 +52,8 @@ (define-public qemu-headless
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"))
|
"120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"))
|
||||||
(patches (list (search-patch "qemu-CVE-2015-3456.patch")))))
|
(patches (map search-patch '("qemu-CVE-2015-3209.patch"
|
||||||
|
"qemu-CVE-2015-3456.patch")))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(arguments
|
(arguments
|
||||||
'(#:phases (alist-replace
|
'(#:phases (alist-replace
|
||||||
|
|
Loading…
Reference in a new issue