From e232ad758a0eb0b16c304d4694b0a217cf4da3b8 Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Tue, 7 Jul 2015 17:43:02 +0800 Subject: qemu: fix CVE-2015-3209 Backport patch to fix CVE-2015-3209. http://git.qemu.org/?p=qemu.git;a=commit;h=9f7c594 (From OE-Core master rev: ea85f36ad438353f5a8e64292dd27f457f1f665c) (From OE-Core rev: d8d68c4a630dc9d802e159f0ffe768e52bea5401) Signed-off-by: Kai Kang Signed-off-by: Richard Purdie Signed-off-by: Joshua Lock Signed-off-by: Richard Purdie --- .../qemu/qemu/qemu-fix-CVE-2015-3209.patch | 53 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.2.0.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch new file mode 100644 index 0000000..d2dbb94 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch @@ -0,0 +1,53 @@ +Upstream-Status: Backport + +Signed-off-by: Kai Kang + +From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Sun, 24 May 2015 10:53:44 +0200 +Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx + +4096 is the maximum length per TMD and it is also currently the size of +the relay buffer pcnet driver uses for sending the packet data to QEMU +for further processing. With packet spanning multiple TMDs it can +happen that the overall packet size will be bigger than sizeof(buffer), +which results in memory corruption. + +Fix this by only allowing to queue maximum sizeof(buffer) bytes. + +This is CVE-2015-3209. + +[Fixed 3-space indentation to QEMU's 4-space coding standard. +--Stefan] + +Signed-off-by: Petr Matousek +Reported-by: Matt Tait +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Stefan Hajnoczi +--- + hw/net/pcnet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index bdfd38f..68b9981 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; +-- +2.4.1 + diff --git a/meta/recipes-devtools/qemu/qemu_2.2.0.bb b/meta/recipes-devtools/qemu/qemu_2.2.0.bb index 54dd7cb..4c6880b 100644 --- a/meta/recipes-devtools/qemu/qemu_2.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.2.0.bb @@ -19,6 +19,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \ file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \ file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \ + file://qemu-fix-CVE-2015-3209.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8" -- cgit v1.1