summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-09-19 19:56:19 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 15:27:06 +0100
commit11c8c8aa155f134679fe0d2a12a8943a8d6b8c05 (patch)
treeeb332ba5689b97f8367d7c182cc41ed3be446e12
parent5a8a6a753fbcbdf8fc42c8bb6e8267f4e0023629 (diff)
downloadpoky-11c8c8aa155f134679fe0d2a12a8943a8d6b8c05.tar.gz
qemu: Security fix for CVE-2016-4002
affects qemu < 2.6.0 (From OE-Core rev: 4c6493e90c7102a5bfa8aba4c00b112d083e91b8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.5.0.bb1
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch
new file mode 100644
index 0000000000..69c11e27d9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch
@@ -0,0 +1,39 @@
1From 7a2c32ec06533c54ddaf70136bfbd89eeaf6db16 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 7 Apr 2016 15:56:02 +0530
4Subject: [PATCH] net: mipsnet: check packet length against buffer
5
6When receiving packets over MIPSnet network device, it uses
7receive buffer of size 1514 bytes. In case the controller
8accepts large(MTU) packets, it could lead to memory corruption.
9Add check to avoid it.
10
11Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
16Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
17
18Upstream-Status: Backport
19CVE: CVE-2016-4002
20Signed-off-by: Armin Kuster <akuster@mvista.com>
21
22---
23 hw/net/mipsnet.c | 3 +++
24 1 file changed, 3 insertions(+)
25
26Index: qemu-2.4.0/hw/net/mipsnet.c
27===================================================================
28--- qemu-2.4.0.orig/hw/net/mipsnet.c
29+++ qemu-2.4.0/hw/net/mipsnet.c
30@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClient
31 if (!mipsnet_can_receive(nc))
32 return 0;
33
34+ if (size >= sizeof(s->rx_buffer)) {
35+ return 0;
36+ }
37 s->busy = 1;
38
39 /* Just accept everything. */
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index feb6352531..0ffec9889c 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -24,6 +24,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
24 file://CVE-2016-4439.patch \ 24 file://CVE-2016-4439.patch \
25 file://CVE-2016-6351_p1.patch \ 25 file://CVE-2016-6351_p1.patch \
26 file://CVE-2016-6351_p2.patch \ 26 file://CVE-2016-6351_p2.patch \
27 file://CVE-2016-4002.patch \
27 " 28 "
28SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 29SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
29SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" 30SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"