diff options
| -rw-r--r-- | gnu-system.am | 1 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2015-3209.patch | 49 | ||||
| -rw-r--r-- | gnu/packages/qemu.scm | 3 |
3 files changed, 52 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am index 3073fef498..978e839bfa 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -527,6 +527,7 @@ dist_patch_DATA = \ gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \ gnu/packages/patches/python2-sqlite-3.8.4-test-fix.patch \ gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ + gnu/packages/patches/qemu-CVE-2015-3209.patch \ gnu/packages/patches/qemu-CVE-2015-3456.patch \ gnu/packages/patches/qt4-ldflags.patch \ gnu/packages/patches/qt4-tests.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2015-3209.patch b/gnu/packages/patches/qemu-CVE-2015-3209.patch new file mode 100644 index 0000000000..0bb726698c --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-3209.patch @@ -0,0 +1,49 @@ +From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Sun, 24 May 2015 10:53:44 +0200 +Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx + +4096 is the maximum length per TMD and it is also currently the size of +the relay buffer pcnet driver uses for sending the packet data to QEMU +for further processing. With packet spanning multiple TMDs it can +happen that the overall packet size will be bigger than sizeof(buffer), +which results in memory corruption. + +Fix this by only allowing to queue maximum sizeof(buffer) bytes. + +This is CVE-2015-3209. + +[Fixed 3-space indentation to QEMU's 4-space coding standard. +--Stefan] + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reported-by: Matt Tait <matttait@google.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/net/pcnet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index bdfd38f..68b9981 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; +-- +2.2.1 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 717310209e..27a2d2e8ba 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -52,7 +52,8 @@ (sha256 (base32 "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn")) - (patches (list (search-patch "qemu-CVE-2015-3456.patch"))))) + (patches (map search-patch '("qemu-CVE-2015-3209.patch" + "qemu-CVE-2015-3456.patch"))))) (build-system gnu-build-system) (arguments '(#:phases (alist-replace |