summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2015-07-07 17:43:02 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-07-09 18:00:19 +0100
commite2ac1e8f91d84b5c54f98f5dc9b88d75f297f15b (patch)
treebe608802ede28aad485589b4977961d370448bea /meta/recipes-devtools/qemu
parent8b3666ea2dbba3bc9523ff499dc50d52096d1c3e (diff)
downloadpoky-e2ac1e8f91d84b5c54f98f5dc9b88d75f297f15b.tar.gz
qemu: fix CVE-2015-3209
Backport patch to fix CVE-2015-3209. http://git.qemu.org/?p=qemu.git;a=commit;h=9f7c594 (From OE-Core rev: ea85f36ad438353f5a8e64292dd27f457f1f665c) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.3.0.bb1
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch
new file mode 100644
index 0000000000..d2dbb94e0a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch
@@ -0,0 +1,53 @@
1Upstream-Status: Backport
2
3Signed-off-by: Kai Kang <kai.kang@windriver.com>
4
5From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
6From: Petr Matousek <pmatouse@redhat.com>
7Date: Sun, 24 May 2015 10:53:44 +0200
8Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
9
104096 is the maximum length per TMD and it is also currently the size of
11the relay buffer pcnet driver uses for sending the packet data to QEMU
12for further processing. With packet spanning multiple TMDs it can
13happen that the overall packet size will be bigger than sizeof(buffer),
14which results in memory corruption.
15
16Fix this by only allowing to queue maximum sizeof(buffer) bytes.
17
18This is CVE-2015-3209.
19
20[Fixed 3-space indentation to QEMU's 4-space coding standard.
21--Stefan]
22
23Signed-off-by: Petr Matousek <pmatouse@redhat.com>
24Reported-by: Matt Tait <matttait@google.com>
25Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
26Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
27Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
28---
29 hw/net/pcnet.c | 8 ++++++++
30 1 file changed, 8 insertions(+)
31
32diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
33index bdfd38f..68b9981 100644
34--- a/hw/net/pcnet.c
35+++ b/hw/net/pcnet.c
36@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
37 }
38
39 bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
40+
41+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
42+ Note: this is not what real hw does */
43+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
44+ s->xmit_pos = -1;
45+ goto txdone;
46+ }
47+
48 s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
49 s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
50 s->xmit_pos += bcnt;
51--
522.4.1
53
diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
index ec1b101998..cae0ad123a 100644
--- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
@@ -18,6 +18,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
18 file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \ 18 file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \
19 file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \ 19 file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \
20 file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \ 20 file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \
21 file://qemu-fix-CVE-2015-3209.patch \
21 " 22 "
22SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 23SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
23SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221" 24SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221"