diff options
author | Armin Kuster <akuster@mvista.com> | 2016-02-06 15:14:51 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-07 17:23:04 +0000 |
commit | caa104fd2a94f52b06b14f4d096a7bacf79308b8 (patch) | |
tree | 60f45d54168e0531fc0849316c1b75d6b5ed1480 /meta/recipes-devtools/qemu/qemu | |
parent | 73941fbc6a1642b4d036135ac97731aaf98e27e8 (diff) | |
download | poky-caa104fd2a94f52b06b14f4d096a7bacf79308b8.tar.gz |
qemu: Security fix CVE-2015-7504
CVE-2015-7504 Qemu: net: pcnet: heap overflow vulnerability in loopback mode
(From OE-Core rev: b01b569d7d7e651a35fa38750462f13aeb64a2f3)
(From OE-Core rev: 10752d6beb5520ec0fc83a7d0173e10144b11685)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch new file mode 100644 index 0000000000..04e6183ec3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Fri, 20 Nov 2015 11:50:31 +0530 | ||
4 | Subject: [PATCH] net: pcnet: add check to validate receive data | ||
5 | size(CVE-2015-7504) | ||
6 | |||
7 | In loopback mode, pcnet_receive routine appends CRC code to the | ||
8 | receive buffer. If the data size given is same as the buffer size, | ||
9 | the appended CRC code overwrites 4 bytes after s->buffer. Added a | ||
10 | check to avoid that. | ||
11 | |||
12 | Reported by: Qinghao Tang <luodalongde@gmail.com> | ||
13 | Cc: qemu-stable@nongnu.org | ||
14 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
15 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
16 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7 | ||
21 | |||
22 | CVE: CVE-2015-7504 | ||
23 | [Yocto # 9013] | ||
24 | |||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | hw/net/pcnet.c | 8 +++++--- | ||
29 | 1 file changed, 5 insertions(+), 3 deletions(-) | ||
30 | |||
31 | Index: qemu-2.2.0/hw/net/pcnet.c | ||
32 | =================================================================== | ||
33 | --- qemu-2.2.0.orig/hw/net/pcnet.c | ||
34 | +++ qemu-2.2.0/hw/net/pcnet.c | ||
35 | @@ -1106,7 +1106,7 @@ ssize_t pcnet_receive(NetClientState *nc | ||
36 | uint32_t fcs = ~0; | ||
37 | uint8_t *p = src; | ||
38 | |||
39 | - while (p != &src[size-4]) | ||
40 | + while (p != &src[size]) | ||
41 | CRC(fcs, *p++); | ||
42 | crc_err = (*(uint32_t *)p != htonl(fcs)); | ||
43 | } | ||
44 | @@ -1255,8 +1255,10 @@ static void pcnet_transmit(PCNetState *s | ||
45 | bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); | ||
46 | |||
47 | /* if multi-tmd packet outsizes s->buffer then skip it silently. | ||
48 | - Note: this is not what real hw does */ | ||
49 | - if (s->xmit_pos + bcnt > sizeof(s->buffer)) { | ||
50 | + * Note: this is not what real hw does. | ||
51 | + * Last four bytes of s->buffer are used to store CRC FCS code. | ||
52 | + */ | ||
53 | + if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { | ||
54 | s->xmit_pos = -1; | ||
55 | goto txdone; | ||
56 | } | ||