diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-04-27 11:48:16 +0200 |
|---|---|---|
| committer | Nora Björklund <nora.bjorklund@enea.com> | 2016-04-28 09:02:11 +0200 |
| commit | d3d0c7af34b996b4518b26d4f3b4eff831a651af (patch) | |
| tree | d8dc6be1d65668e4cbaf04f47011542ed35b2031 /meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch | |
| parent | c6477d7bc514c951746d6b717c033475fc45f3fc (diff) | |
| download | poky-d3d0c7af34b996b4518b26d4f3b4eff831a651af.tar.gz | |
qemu: Upgrade 2.1.0 to 2.4.0 to address some CVEs
The upgrade addresses following CVEs:
CVE-2015-7295
CVE-2015-7504
CVE-2015-7512
CVE-2015-8345
CVE-2015-8504
CVE-2016-1568
CVE-2016-2197
CVE-2016-2198
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch deleted file mode 100644 index a7ecf31c01..0000000000 --- a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch +++ /dev/null | |||
| @@ -1,48 +0,0 @@ | |||
| 1 | From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Petr Matousek <pmatouse@redhat.com> | ||
| 3 | Date: Thu, 18 Sep 2014 08:35:37 +0200 | ||
| 4 | Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of | ||
| 5 | uninitialized socket | ||
| 6 | |||
| 7 | When guest sends udp packet with source port and source addr 0, | ||
| 8 | uninitialized socket is picked up when looking for matching and already | ||
| 9 | created udp sockets, and later passed to sosendto() where NULL pointer | ||
| 10 | dereference is hit during so->slirp->vnetwork_mask.s_addr access. | ||
| 11 | |||
| 12 | Fix this by checking that the socket is not just a socket stub. | ||
| 13 | |||
| 14 | This is CVE-2014-3640. | ||
| 15 | |||
| 16 | Upstream-Status: Backport | ||
| 17 | |||
| 18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
| 19 | Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> | ||
| 20 | Reported-by: Stephane Duverger <stephane.duverger@eads.net> | ||
| 21 | Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> | ||
| 22 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
| 23 | Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> | ||
| 24 | Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com | ||
| 25 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 26 | (cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a) | ||
| 27 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
| 28 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 29 | --- | ||
| 30 | slirp/udp.c | 2 +- | ||
| 31 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 32 | |||
| 33 | diff --git a/slirp/udp.c b/slirp/udp.c | ||
| 34 | index 8cc6cb6..f77e00f 100644 | ||
| 35 | --- a/slirp/udp.c | ||
| 36 | +++ b/slirp/udp.c | ||
| 37 | @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) | ||
| 38 | * Locate pcb for datagram. | ||
| 39 | */ | ||
| 40 | so = slirp->udp_last_so; | ||
| 41 | - if (so->so_lport != uh->uh_sport || | ||
| 42 | + if (so == &slirp->udb || so->so_lport != uh->uh_sport || | ||
| 43 | so->so_laddr.s_addr != ip->ip_src.s_addr) { | ||
| 44 | struct socket *tmp; | ||
| 45 | |||
| 46 | -- | ||
| 47 | 1.9.1 | ||
| 48 | |||