summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-08-25 11:50:07 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-09-01 21:37:30 +0100
commitf7b041121e7d3c365dcf4a596ab378d5439e33c5 (patch)
tree16dd04099d67c59a333b034093bcd0efde79576a /meta/recipes-devtools
parent7a263b2e60ede6dd08c4f49e9bf0a19e04917061 (diff)
downloadpoky-f7b041121e7d3c365dcf4a596ab378d5439e33c5.tar.gz
qemu-slirp: CVE-2014-3640
Fixes NULL pointer deref in sosendto(). Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640 Upstream patch: http://git.qemu.org/?p=qemu.git;a=commit; h=9a72433843d912a45046959b1953861211d1838d (From OE-Core rev: f63a4f706269b4cd82c56d92f37c881de824d8bc) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch48
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.1.0.bb1
2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
new file mode 100644
index 0000000000..a7ecf31c01
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
@@ -0,0 +1,48 @@
1From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001
2From: Petr Matousek <pmatouse@redhat.com>
3Date: Thu, 18 Sep 2014 08:35:37 +0200
4Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
5 uninitialized socket
6
7When guest sends udp packet with source port and source addr 0,
8uninitialized socket is picked up when looking for matching and already
9created udp sockets, and later passed to sosendto() where NULL pointer
10dereference is hit during so->slirp->vnetwork_mask.s_addr access.
11
12Fix this by checking that the socket is not just a socket stub.
13
14This is CVE-2014-3640.
15
16Upstream-Status: Backport
17
18Signed-off-by: Petr Matousek <pmatouse@redhat.com>
19Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
20Reported-by: Stephane Duverger <stephane.duverger@eads.net>
21Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
22Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
23Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
24Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
25Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
26(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
27Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
28Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
29---
30 slirp/udp.c | 2 +-
31 1 file changed, 1 insertion(+), 1 deletion(-)
32
33diff --git a/slirp/udp.c b/slirp/udp.c
34index 8cc6cb6..f77e00f 100644
35--- a/slirp/udp.c
36+++ b/slirp/udp.c
37@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
38 * Locate pcb for datagram.
39 */
40 so = slirp->udp_last_so;
41- if (so->so_lport != uh->uh_sport ||
42+ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
43 so->so_laddr.s_addr != ip->ip_src.s_addr) {
44 struct socket *tmp;
45
46--
471.9.1
48
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
index 444a4220bd..92a89d699c 100644
--- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
10 file://qemu-CVE-2015-3456.patch \ 10 file://qemu-CVE-2015-3456.patch \
11 file://CVE-2014-7840.patch \ 11 file://CVE-2014-7840.patch \
12 file://vnc-CVE-2014-7815.patch \ 12 file://vnc-CVE-2014-7815.patch \
13 file://slirp-CVE-2014-3640.patch \
13 " 14 "
14SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 15SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
15SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b" 16SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"