From 3dbb0e5f8b9e8445818ca31861488666b948ce50 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 10 Jun 2015 15:11:48 -0400 Subject: gnu: qemu: Add fix for CVE-2015-3209. * gnu/packages/patches/qemu-CVE-2015-3209.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/qemu.scm (qemu): Add patch. --- gnu/packages/patches/qemu-CVE-2015-3209.patch | 49 +++++++++++++++++++++++++++ gnu/packages/qemu.scm | 3 +- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/qemu-CVE-2015-3209.patch (limited to 'gnu') diff --git a/gnu/packages/patches/qemu-CVE-2015-3209.patch b/gnu/packages/patches/qemu-CVE-2015-3209.patch new file mode 100644 index 0000000000..0bb726698c --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-3209.patch @@ -0,0 +1,49 @@ +From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Sun, 24 May 2015 10:53:44 +0200 +Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx + +4096 is the maximum length per TMD and it is also currently the size of +the relay buffer pcnet driver uses for sending the packet data to QEMU +for further processing. With packet spanning multiple TMDs it can +happen that the overall packet size will be bigger than sizeof(buffer), +which results in memory corruption. + +Fix this by only allowing to queue maximum sizeof(buffer) bytes. + +This is CVE-2015-3209. + +[Fixed 3-space indentation to QEMU's 4-space coding standard. +--Stefan] + +Signed-off-by: Petr Matousek +Reported-by: Matt Tait +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Stefan Hajnoczi +--- + hw/net/pcnet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index bdfd38f..68b9981 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; +-- +2.2.1 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 717310209e..27a2d2e8ba 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -52,7 +52,8 @@ (define-public qemu-headless (sha256 (base32 "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn")) - (patches (list (search-patch "qemu-CVE-2015-3456.patch"))))) + (patches (map search-patch '("qemu-CVE-2015-3209.patch" + "qemu-CVE-2015-3456.patch"))))) (build-system gnu-build-system) (arguments '(#:phases (alist-replace -- cgit v1.2.3