[app-emulation/qemu] bump
This commit is contained in:
51
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch
Normal file
51
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch
Normal file
@@ -0,0 +1,51 @@
|
||||
https://bugs.gentoo.org/551752
|
||||
|
||||
From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Sun, 24 May 2015 10:53:44 +0200
|
||||
Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
|
||||
|
||||
4096 is the maximum length per TMD and it is also currently the size of
|
||||
the relay buffer pcnet driver uses for sending the packet data to QEMU
|
||||
for further processing. With packet spanning multiple TMDs it can
|
||||
happen that the overall packet size will be bigger than sizeof(buffer),
|
||||
which results in memory corruption.
|
||||
|
||||
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
|
||||
|
||||
This is CVE-2015-3209.
|
||||
|
||||
[Fixed 3-space indentation to QEMU's 4-space coding standard.
|
||||
--Stefan]
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reported-by: Matt Tait <matttait@google.com>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
---
|
||||
hw/net/pcnet.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index bdfd38f..68b9981 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
|
||||
}
|
||||
|
||||
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||
+
|
||||
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
|
||||
+ Note: this is not what real hw does */
|
||||
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
|
||||
+ s->xmit_pos = -1;
|
||||
+ goto txdone;
|
||||
+ }
|
||||
+
|
||||
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
||||
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
||||
s->xmit_pos += bcnt;
|
||||
--
|
||||
2.2.0.rc0.207.ga3a616c
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r1.ebuild,v 1.2 2015/05/13 23:11:02 vapier Exp $
|
||||
# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r2.ebuild,v 1.1 2015/06/12 14:19:29 vapier Exp $
|
||||
|
||||
EAPI=5
|
||||
|
||||
@@ -261,6 +261,7 @@ src_prepare() {
|
||||
|
||||
epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
|
||||
epatch "${FILESDIR}"/${P}-CVE-2015-3456.patch #549404
|
||||
epatch "${FILESDIR}"/${P}-CVE-2015-3209.patch #551752
|
||||
[[ -n ${BACKPORTS} ]] && \
|
||||
EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
|
||||
epatch
|
||||
Reference in New Issue
Block a user