[app-emulation/qemu] bump
This commit is contained in:
		
							
								
								
									
										51
									
								
								app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										51
									
								
								app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,51 @@ | ||||
| https://bugs.gentoo.org/551752 | ||||
|  | ||||
| From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 | ||||
| From: Petr Matousek <pmatouse@redhat.com> | ||||
| Date: Sun, 24 May 2015 10:53:44 +0200 | ||||
| Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx | ||||
|  | ||||
| 4096 is the maximum length per TMD and it is also currently the size of | ||||
| the relay buffer pcnet driver uses for sending the packet data to QEMU | ||||
| for further processing. With packet spanning multiple TMDs it can | ||||
| happen that the overall packet size will be bigger than sizeof(buffer), | ||||
| which results in memory corruption. | ||||
|  | ||||
| Fix this by only allowing to queue maximum sizeof(buffer) bytes. | ||||
|  | ||||
| This is CVE-2015-3209. | ||||
|  | ||||
| [Fixed 3-space indentation to QEMU's 4-space coding standard. | ||||
| --Stefan] | ||||
|  | ||||
| Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||||
| Reported-by: Matt Tait <matttait@google.com> | ||||
| Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||||
| Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||||
| Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||||
| --- | ||||
|  hw/net/pcnet.c | 8 ++++++++ | ||||
|  1 file changed, 8 insertions(+) | ||||
|  | ||||
| diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c | ||||
| index bdfd38f..68b9981 100644 | ||||
| --- a/hw/net/pcnet.c | ||||
| +++ b/hw/net/pcnet.c | ||||
| @@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) | ||||
|          } | ||||
|   | ||||
|          bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); | ||||
| + | ||||
| +        /* if multi-tmd packet outsizes s->buffer then skip it silently. | ||||
| +           Note: this is not what real hw does */ | ||||
| +        if (s->xmit_pos + bcnt > sizeof(s->buffer)) { | ||||
| +            s->xmit_pos = -1; | ||||
| +            goto txdone; | ||||
| +        } | ||||
| + | ||||
|          s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), | ||||
|                           s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); | ||||
|          s->xmit_pos += bcnt; | ||||
| --  | ||||
| 2.2.0.rc0.207.ga3a616c | ||||
|  | ||||
| @@ -1,6 +1,6 @@ | ||||
| # Copyright 1999-2015 Gentoo Foundation | ||||
| # Distributed under the terms of the GNU General Public License v2 | ||||
| # $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r1.ebuild,v 1.2 2015/05/13 23:11:02 vapier Exp $ | ||||
| # $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r2.ebuild,v 1.1 2015/06/12 14:19:29 vapier Exp $ | ||||
| 
 | ||||
| EAPI=5 | ||||
| 
 | ||||
| @@ -261,6 +261,7 @@ src_prepare() { | ||||
| 
 | ||||
| 	epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch | ||||
| 	epatch "${FILESDIR}"/${P}-CVE-2015-3456.patch #549404 | ||||
| 	epatch "${FILESDIR}"/${P}-CVE-2015-3209.patch #551752 | ||||
| 	[[ -n ${BACKPORTS} ]] && \ | ||||
| 		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ | ||||
| 			epatch | ||||
		Reference in New Issue
	
	Block a user