[OE-core] [PATCH 1/1] qemu: fix CVE-2015-3209
Kai Kang
kai.kang at windriver.com
Tue Jul 7 09:43:02 UTC 2015
Backport patch to fix CVE-2015-3209.
http://git.qemu.org/?p=qemu.git;a=commit;h=9f7c594
Signed-off-by: Kai Kang <kai.kang at windriver.com>
---
.../qemu/qemu/qemu-fix-CVE-2015-3209.patch | 53 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.3.0.bb | 1 +
2 files changed, 54 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch
new file mode 100644
index 0000000..d2dbb94
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch
@@ -0,0 +1,53 @@
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang at windriver.com>
+
+From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse at redhat.com>
+Date: Sun, 24 May 2015 10:53:44 +0200
+Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
+
+4096 is the maximum length per TMD and it is also currently the size of
+the relay buffer pcnet driver uses for sending the packet data to QEMU
+for further processing. With packet spanning multiple TMDs it can
+happen that the overall packet size will be bigger than sizeof(buffer),
+which results in memory corruption.
+
+Fix this by only allowing to queue maximum sizeof(buffer) bytes.
+
+This is CVE-2015-3209.
+
+[Fixed 3-space indentation to QEMU's 4-space coding standard.
+--Stefan]
+
+Signed-off-by: Petr Matousek <pmatouse at redhat.com>
+Reported-by: Matt Tait <matttait at google.com>
+Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+---
+ hw/net/pcnet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index bdfd38f..68b9981 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
+ }
+
+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
++
++ /* if multi-tmd packet outsizes s->buffer then skip it silently.
++ Note: this is not what real hw does */
++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++ s->xmit_pos = -1;
++ goto txdone;
++ }
++
+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+ s->xmit_pos += bcnt;
+--
+2.4.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
index ec1b101..cae0ad1 100644
--- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
@@ -18,6 +18,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \
file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \
file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \
+ file://qemu-fix-CVE-2015-3209.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221"
--
1.9.1
More information about the Openembedded-core
mailing list