[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: qemu: Add fix for CVE-2015-3209.
|
From: |
Mark H. Weaver |
|
Subject: |
01/01: gnu: qemu: Add fix for CVE-2015-3209. |
|
Date: |
Wed, 10 Jun 2015 19:42:23 +0000 |
mhw pushed a commit to branch master
in repository guix.
commit 3dbb0e5f8b9e8445818ca31861488666b948ce50
Author: Mark H Weaver <address@hidden>
Date: Wed Jun 10 15:11:48 2015 -0400
gnu: qemu: Add fix for CVE-2015-3209.
* gnu/packages/patches/qemu-CVE-2015-3209.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/qemu.scm (qemu): Add patch.
---
gnu-system.am | 1 +
gnu/packages/patches/qemu-CVE-2015-3209.patch | 49 +++++++++++++++++++++++++
gnu/packages/qemu.scm | 3 +-
3 files changed, 52 insertions(+), 1 deletions(-)
diff --git a/gnu-system.am b/gnu-system.am
index 3073fef..978e839 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -527,6 +527,7 @@ dist_patch_DATA =
\
gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \
gnu/packages/patches/python2-sqlite-3.8.4-test-fix.patch \
gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
+ gnu/packages/patches/qemu-CVE-2015-3209.patch \
gnu/packages/patches/qemu-CVE-2015-3456.patch \
gnu/packages/patches/qt4-ldflags.patch \
gnu/packages/patches/qt4-tests.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2015-3209.patch
b/gnu/packages/patches/qemu-CVE-2015-3209.patch
new file mode 100644
index 0000000..0bb7266
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2015-3209.patch
@@ -0,0 +1,49 @@
+From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
+From: Petr Matousek <address@hidden>
+Date: Sun, 24 May 2015 10:53:44 +0200
+Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
+
+4096 is the maximum length per TMD and it is also currently the size of
+the relay buffer pcnet driver uses for sending the packet data to QEMU
+for further processing. With packet spanning multiple TMDs it can
+happen that the overall packet size will be bigger than sizeof(buffer),
+which results in memory corruption.
+
+Fix this by only allowing to queue maximum sizeof(buffer) bytes.
+
+This is CVE-2015-3209.
+
+[Fixed 3-space indentation to QEMU's 4-space coding standard.
+--Stefan]
+
+Signed-off-by: Petr Matousek <address@hidden>
+Reported-by: Matt Tait <address@hidden>
+Reviewed-by: Peter Maydell <address@hidden>
+Reviewed-by: Stefan Hajnoczi <address@hidden>
+Signed-off-by: Stefan Hajnoczi <address@hidden>
+---
+ hw/net/pcnet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index bdfd38f..68b9981 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
+ }
+
+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
++
++ /* if multi-tmd packet outsizes s->buffer then skip it silently.
++ Note: this is not what real hw does */
++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++ s->xmit_pos = -1;
++ goto txdone;
++ }
++
+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+ s->xmit_pos += bcnt;
+--
+2.2.1
+
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 7173102..27a2d2e 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -52,7 +52,8 @@
(sha256
(base32
"120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"))
- (patches (list (search-patch "qemu-CVE-2015-3456.patch")))))
+ (patches (map search-patch '("qemu-CVE-2015-3209.patch"
+ "qemu-CVE-2015-3456.patch")))))
(build-system gnu-build-system)
(arguments
'(#:phases (alist-replace