diff options
author | Kai Kang <kai.kang@windriver.com> | 2015-07-07 17:43:02 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-01 21:19:41 +0100 |
commit | e232ad758a0eb0b16c304d4694b0a217cf4da3b8 (patch) | |
tree | e3a71675f033b005fb9ede779493ce319bb7ea80 /meta/recipes-devtools/qemu/qemu | |
parent | 328d35b53db61c86717c68cc564a790ccfa2956c (diff) | |
download | poky-e232ad758a0eb0b16c304d4694b0a217cf4da3b8.tar.gz |
qemu: fix CVE-2015-3209
Backport patch to fix CVE-2015-3209.
http://git.qemu.org/?p=qemu.git;a=commit;h=9f7c594
(From OE-Core master rev: ea85f36ad438353f5a8e64292dd27f457f1f665c)
(From OE-Core rev: d8d68c4a630dc9d802e159f0ffe768e52bea5401)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch new file mode 100644 index 0000000000..d2dbb94e0a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
4 | |||
5 | From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 | ||
6 | From: Petr Matousek <pmatouse@redhat.com> | ||
7 | Date: Sun, 24 May 2015 10:53:44 +0200 | ||
8 | Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx | ||
9 | |||
10 | 4096 is the maximum length per TMD and it is also currently the size of | ||
11 | the relay buffer pcnet driver uses for sending the packet data to QEMU | ||
12 | for further processing. With packet spanning multiple TMDs it can | ||
13 | happen that the overall packet size will be bigger than sizeof(buffer), | ||
14 | which results in memory corruption. | ||
15 | |||
16 | Fix this by only allowing to queue maximum sizeof(buffer) bytes. | ||
17 | |||
18 | This is CVE-2015-3209. | ||
19 | |||
20 | [Fixed 3-space indentation to QEMU's 4-space coding standard. | ||
21 | --Stefan] | ||
22 | |||
23 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
24 | Reported-by: Matt Tait <matttait@google.com> | ||
25 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
26 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
27 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
28 | --- | ||
29 | hw/net/pcnet.c | 8 ++++++++ | ||
30 | 1 file changed, 8 insertions(+) | ||
31 | |||
32 | diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c | ||
33 | index bdfd38f..68b9981 100644 | ||
34 | --- a/hw/net/pcnet.c | ||
35 | +++ b/hw/net/pcnet.c | ||
36 | @@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) | ||
37 | } | ||
38 | |||
39 | bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); | ||
40 | + | ||
41 | + /* if multi-tmd packet outsizes s->buffer then skip it silently. | ||
42 | + Note: this is not what real hw does */ | ||
43 | + if (s->xmit_pos + bcnt > sizeof(s->buffer)) { | ||
44 | + s->xmit_pos = -1; | ||
45 | + goto txdone; | ||
46 | + } | ||
47 | + | ||
48 | s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), | ||
49 | s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); | ||
50 | s->xmit_pos += bcnt; | ||
51 | -- | ||
52 | 2.4.1 | ||
53 | |||