gentoo/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch

https://bugs.gentoo.org/570988

From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 31 Dec 2015 17:05:27 +0530
Subject: [PATCH] net: ne2000: fix bounds check in ioport operations

While doing ioport r/w operations, ne2000 device emulation suffers
from OOB r/w errors. Update respective array bounds check to avoid
OOB access.

Reported-by: Ling Liu <liuling-it@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/ne2000.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 010f9ef..a3dffff 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
                                      uint32_t val)
 {
     addr &= ~1; /* XXX: check exact behaviour if not even */
-    if (addr < 32 ||
-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
+    if (addr < 32
+        || (addr >= NE2000_PMEM_START
+            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
         stl_le_p(s->mem + addr, val);
     }
 }
@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
 static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
 {
     addr &= ~1; /* XXX: check exact behaviour if not even */
-    if (addr < 32 ||
-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
+    if (addr < 32
+        || (addr >= NE2000_PMEM_START
+            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
         return ldl_le_p(s->mem + addr);
     } else {
         return 0xffffffff;
-- 
2.6.2
[app-emulation/qemu] sync with tree 2016-01-18 11:54:47 +01:00			`https://bugs.gentoo.org/570988`

			`From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001`
			`From: Prasad J Pandit <pjp@fedoraproject.org>`
			`Date: Thu, 31 Dec 2015 17:05:27 +0530`
			`Subject: [PATCH] net: ne2000: fix bounds check in ioport operations`

			`While doing ioport r/w operations, ne2000 device emulation suffers`
			`from OOB r/w errors. Update respective array bounds check to avoid`
			`OOB access.`

			`Reported-by: Ling Liu <liuling-it@360.cn>`
			`Cc: qemu-stable@nongnu.org`
			`Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>`
			`Signed-off-by: Jason Wang <jasowang@redhat.com>`
			`---`
			`hw/net/ne2000.c \| 10 ++++++----`
			`1 file changed, 6 insertions(+), 4 deletions(-)`

			`diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c`
			`index 010f9ef..a3dffff 100644`
			`--- a/hw/net/ne2000.c`
			`+++ b/hw/net/ne2000.c`
			`@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,`
			`uint32_t val)`
			`{`
			`addr &= ~1; /* XXX: check exact behaviour if not even */`
			`- if (addr < 32 \|\|`
			`- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {`
			`+ if (addr < 32`
			`+ \|\| (addr >= NE2000_PMEM_START`
			`+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {`
			`stl_le_p(s->mem + addr, val);`
			`}`
			`}`
			`@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)`
			`static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)`
			`{`
			`addr &= ~1; /* XXX: check exact behaviour if not even */`
			`- if (addr < 32 \|\|`
			`- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {`
			`+ if (addr < 32`
			`+ \|\| (addr >= NE2000_PMEM_START`
			`+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {`
			`return ldl_le_p(s->mem + addr);`
			`} else {`
			`return 0xffffffff;`
			`--`
			`2.6.2`