From f020c711ddeb1d46f30d18dfb087ff7a3b7806c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20F=C3=B6rster?= Date: Sat, 13 Jun 2015 17:59:47 +0200 Subject: [PATCH] [app-emulation/qemu] bump --- .../qemu/files/qemu-2.3.0-CVE-2015-3209.patch | 51 +++++++++++++++++++ ...u-2.3.0-r1.ebuild => qemu-2.3.0-r2.ebuild} | 3 +- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch rename app-emulation/qemu/{qemu-2.3.0-r1.ebuild => qemu-2.3.0-r2.ebuild} (99%) diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch new file mode 100644 index 0000000..885db3b --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch @@ -0,0 +1,51 @@ +https://bugs.gentoo.org/551752 + +From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Sun, 24 May 2015 10:53:44 +0200 +Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx + +4096 is the maximum length per TMD and it is also currently the size of +the relay buffer pcnet driver uses for sending the packet data to QEMU +for further processing. With packet spanning multiple TMDs it can +happen that the overall packet size will be bigger than sizeof(buffer), +which results in memory corruption. + +Fix this by only allowing to queue maximum sizeof(buffer) bytes. + +This is CVE-2015-3209. + +[Fixed 3-space indentation to QEMU's 4-space coding standard. +--Stefan] + +Signed-off-by: Petr Matousek +Reported-by: Matt Tait +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Stefan Hajnoczi +--- + hw/net/pcnet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index bdfd38f..68b9981 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; +-- +2.2.0.rc0.207.ga3a616c + diff --git a/app-emulation/qemu/qemu-2.3.0-r1.ebuild b/app-emulation/qemu/qemu-2.3.0-r2.ebuild similarity index 99% rename from app-emulation/qemu/qemu-2.3.0-r1.ebuild rename to app-emulation/qemu/qemu-2.3.0-r2.ebuild index 5a08f4e..d78a2a7 100644 --- a/app-emulation/qemu/qemu-2.3.0-r1.ebuild +++ b/app-emulation/qemu/qemu-2.3.0-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r1.ebuild,v 1.2 2015/05/13 23:11:02 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r2.ebuild,v 1.1 2015/06/12 14:19:29 vapier Exp $ EAPI=5 @@ -261,6 +261,7 @@ src_prepare() { epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch epatch "${FILESDIR}"/${P}-CVE-2015-3456.patch #549404 + epatch "${FILESDIR}"/${P}-CVE-2015-3209.patch #551752 [[ -n ${BACKPORTS} ]] && \ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ epatch