diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-13711.patch | 89 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-14167.patch | 69 |
2 files changed, 0 insertions, 158 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-13711.patch b/gnu/packages/patches/qemu-CVE-2017-13711.patch deleted file mode 100644 index 4070115419..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-13711.patch +++ /dev/null @@ -1,89 +0,0 @@ -Fix CVE-2017-13711: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1201d308519f1e915866d7583d5136d03cc1d384 - -From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001 -From: Samuel Thibault <samuel.thibault@ens-lyon.org> -Date: Fri, 25 Aug 2017 01:35:53 +0200 -Subject: [PATCH] slirp: fix clearing ifq_so from pending packets -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The if_fastq and if_batchq contain not only packets, but queues of packets -for the same socket. When sofree frees a socket, it thus has to clear ifq_so -from all the packets from the queues, not only the first. - -Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> -Cc: qemu-stable@nongnu.org -Signed-off-by: Peter Maydell <peter.maydell@linaro.org> ---- - slirp/socket.c | 39 +++++++++++++++++++++++---------------- - 1 file changed, 23 insertions(+), 16 deletions(-) - -diff --git a/slirp/socket.c b/slirp/socket.c -index ecec0295a9..cb7b5b608d 100644 ---- a/slirp/socket.c -+++ b/slirp/socket.c -@@ -59,6 +59,27 @@ socreate(Slirp *slirp) - return(so); - } - -+/* -+ * Remove references to so from the given message queue. -+ */ -+static void -+soqfree(struct socket *so, struct quehead *qh) -+{ -+ struct mbuf *ifq; -+ -+ for (ifq = (struct mbuf *) qh->qh_link; -+ (struct quehead *) ifq != qh; -+ ifq = ifq->ifq_next) { -+ if (ifq->ifq_so == so) { -+ struct mbuf *ifm; -+ ifq->ifq_so = NULL; -+ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) { -+ ifm->ifq_so = NULL; -+ } -+ } -+ } -+} -+ - /* - * remque and free a socket, clobber cache - */ -@@ -66,23 +87,9 @@ void - sofree(struct socket *so) - { - Slirp *slirp = so->slirp; -- struct mbuf *ifm; - -- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link; -- (struct quehead *) ifm != &slirp->if_fastq; -- ifm = ifm->ifq_next) { -- if (ifm->ifq_so == so) { -- ifm->ifq_so = NULL; -- } -- } -- -- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link; -- (struct quehead *) ifm != &slirp->if_batchq; -- ifm = ifm->ifq_next) { -- if (ifm->ifq_so == so) { -- ifm->ifq_so = NULL; -- } -- } -+ soqfree(so, &slirp->if_fastq); -+ soqfree(so, &slirp->if_batchq); - - if (so->so_emu==EMU_RSH && so->extra) { - sofree(so->extra); --- -2.14.1 - diff --git a/gnu/packages/patches/qemu-CVE-2017-14167.patch b/gnu/packages/patches/qemu-CVE-2017-14167.patch deleted file mode 100644 index a6007ac082..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-14167.patch +++ /dev/null @@ -1,69 +0,0 @@ -Fix CVE-2017-14167: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167 -http://seclists.org/oss-sec/2017/q3/407 - -Patch copied from upstream development mailing list: - -https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html - -From: Prasad J Pandit <address@hidden> - -While loading kernel via multiboot-v1 image, (flags & 0x00010000) -indicates that multiboot header contains valid addresses to load -the kernel image. These addresses are used to compute kernel -size and kernel text offset in the OS image. Validate these -address values to avoid an OOB access issue. - -This is CVE-2017-14167. - -Reported-by: Thomas Garnier <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/i386/multiboot.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -Update: add CVE-ID to the commit message. - -diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c -index 6001f4caa2..c7b70c91d5 100644 ---- a/hw/i386/multiboot.c -+++ b/hw/i386/multiboot.c -@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg, - uint32_t mh_header_addr = ldl_p(header+i+12); - uint32_t mh_load_end_addr = ldl_p(header+i+20); - uint32_t mh_bss_end_addr = ldl_p(header+i+24); -+ - mh_load_addr = ldl_p(header+i+16); -+ if (mh_header_addr < mh_load_addr) { -+ fprintf(stderr, "invalid mh_load_addr address\n"); -+ exit(1); -+ } -+ - uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr); - uint32_t mb_load_size = 0; - mh_entry_addr = ldl_p(header+i+28); - - if (mh_load_end_addr) { -+ if (mh_bss_end_addr < mh_load_addr) { -+ fprintf(stderr, "invalid mh_bss_end_addr address\n"); -+ exit(1); -+ } - mb_kernel_size = mh_bss_end_addr - mh_load_addr; -+ -+ if (mh_load_end_addr < mh_load_addr) { -+ fprintf(stderr, "invalid mh_load_end_addr address\n"); -+ exit(1); -+ } - mb_load_size = mh_load_end_addr - mh_load_addr; - } else { -+ if (kernel_file_size < mb_kernel_text_offset) { -+ fprintf(stderr, "invalid kernel_file_size\n"); -+ exit(1); -+ } - mb_kernel_size = kernel_file_size - mb_kernel_text_offset; - mb_load_size = mb_kernel_size; - } --- -2.13.5 - |