summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-04-28 07:27:21 (GMT)
committerTudor Florea <tudor.florea@enea.com>2015-07-06 18:19:40 (GMT)
commitd3f677a56013b1706854b016cde4dd4c4bc281fd (patch)
treee376f58e5989890e95383a48a25ca948d05ce99b
parent2b10e943c879c0a510d4c2dcda127eef76974854 (diff)
downloadpoky-d3f677a56013b1706854b016cde4dd4c4bc281fd.tar.gz
qemu-slirp: CVE-2014-3640
Fixes a NULL pointer deref in sosendto() References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/files/slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu_1.7.2.bb3
2 files changed, 47 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/files/slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/files/slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch
new file mode 100644
index 0000000..e45644f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/files/slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch
@@ -0,0 +1,45 @@
1From 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a Mon Sep 17 00:00:00 2001
2From: Petr Matousek <pmatouse@redhat.com>
3Date: Thu, 18 Sep 2014 08:35:37 +0200
4Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
5 uninitialized socket
6
7When guest sends udp packet with source port and source addr 0,
8uninitialized socket is picked up when looking for matching and already
9created udp sockets, and later passed to sosendto() where NULL pointer
10dereference is hit during so->slirp->vnetwork_mask.s_addr access.
11
12Fix this by checking that the socket is not just a socket stub.
13
14This is CVE-2014-3640.
15Upstream-Status: Backport
16
17Signed-off-by: Petr Matousek <pmatouse@redhat.com>
18Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
19Reported-by: Stephane Duverger <stephane.duverger@eads.net>
20Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
21Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
22Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
23Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
24Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
25Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
26---
27 slirp/udp.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30diff --git a/slirp/udp.c b/slirp/udp.c
31index 8cc6cb6..f77e00f 100644
32--- a/slirp/udp.c
33+++ b/slirp/udp.c
34@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
35 * Locate pcb for datagram.
36 */
37 so = slirp->udp_last_so;
38- if (so->so_lport != uh->uh_sport ||
39+ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
40 so->so_laddr.s_addr != ip->ip_src.s_addr) {
41 struct socket *tmp;
42
43--
441.9.1
45
diff --git a/meta/recipes-devtools/qemu/qemu_1.7.2.bb b/meta/recipes-devtools/qemu/qemu_1.7.2.bb
index e2e0c86..60a7937 100644
--- a/meta/recipes-devtools/qemu/qemu_1.7.2.bb
+++ b/meta/recipes-devtools/qemu/qemu_1.7.2.bb
@@ -6,7 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
6SRC_URI += "file://fxrstorssefix.patch \ 6SRC_URI += "file://fxrstorssefix.patch \
7 file://qemu-enlarge-env-entry-size.patch \ 7 file://qemu-enlarge-env-entry-size.patch \
8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ 8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
9 file://ide-CVE-2014-2894.patch" 9 file://ide-CVE-2014-2894.patch \
10 file://slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch"
10 11
11SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" 12SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2"
12SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43" 13SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43"