Dessa/gentoo
1
0
Fork 0
Code Issues Pull Requests Wiki Activity

[app-emulation/qemu] bump

Browse Source
This commit is contained in:
Robert Förster 2015-06-13 17:59:47 +02:00
parent 88cc8213a6
commit f020c711dd
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch Normal file
View File

@ -0,0 +1,51 @@
https://bugs.gentoo.org/551752
From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
From: Petr Matousek <pmatouse@redhat.com>
Date: Sun, 24 May 2015 10:53:44 +0200
Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
This is CVE-2015-3209.
[Fixed 3-space indentation to QEMU's 4-space coding standard.
--Stefan]
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Matt Tait <matttait@google.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/pcnet.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index bdfd38f..68b9981 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
}
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
+ Note: this is not what real hw does */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+ s->xmit_pos = -1;
+ goto txdone;
+ }
+
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;
--
2.2.0.rc0.207.ga3a616c

3
app-emulation/qemu/qemu-2.3.0-r1.ebuild → app-emulation/qemu/qemu-2.3.0-r2.ebuild
View File

@ -1,6 +1,6 @@
# Copyright 1999-2015 Gentoo Foundation # Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r1.ebuild,v 1.2 2015/05/13 23:11:02 vapier Exp $ # $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r2.ebuild,v 1.1 2015/06/12 14:19:29 vapier Exp $
EAPI=5 EAPI=5
@ -261,6 +261,7 @@ src_prepare() {
epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
epatch "${FILESDIR}"/${P}-CVE-2015-3456.patch #549404 epatch "${FILESDIR}"/${P}-CVE-2015-3456.patch #549404
epatch "${FILESDIR}"/${P}-CVE-2015-3209.patch #551752
[[ -n ${BACKPORTS} ]] && \ [[ -n ${BACKPORTS} ]] && \
EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
epatch epatch