diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-04-28 09:27:21 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-07-06 20:19:40 +0200 |
commit | d3f677a56013b1706854b016cde4dd4c4bc281fd (patch) | |
tree | e376f58e5989890e95383a48a25ca948d05ce99b /meta | |
parent | 2b10e943c879c0a510d4c2dcda127eef76974854 (diff) | |
download | poky-d3f677a56013b1706854b016cde4dd4c4bc281fd.tar.gz |
qemu-slirp: CVE-2014-3640
Fixes a NULL pointer deref in sosendto()
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/files/slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch | 45 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_1.7.2.bb | 3 |
2 files changed, 47 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/files/slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/files/slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch new file mode 100644 index 0000000000..e45644f08c --- /dev/null +++ b/meta/recipes-devtools/qemu/files/slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Thu, 18 Sep 2014 08:35:37 +0200 | ||
4 | Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of | ||
5 | uninitialized socket | ||
6 | |||
7 | When guest sends udp packet with source port and source addr 0, | ||
8 | uninitialized socket is picked up when looking for matching and already | ||
9 | created udp sockets, and later passed to sosendto() where NULL pointer | ||
10 | dereference is hit during so->slirp->vnetwork_mask.s_addr access. | ||
11 | |||
12 | Fix this by checking that the socket is not just a socket stub. | ||
13 | |||
14 | This is CVE-2014-3640. | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
18 | Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> | ||
19 | Reported-by: Stephane Duverger <stephane.duverger@eads.net> | ||
20 | Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> | ||
21 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
22 | Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> | ||
23 | Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com | ||
24 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
25 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
26 | --- | ||
27 | slirp/udp.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/slirp/udp.c b/slirp/udp.c | ||
31 | index 8cc6cb6..f77e00f 100644 | ||
32 | --- a/slirp/udp.c | ||
33 | +++ b/slirp/udp.c | ||
34 | @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) | ||
35 | * Locate pcb for datagram. | ||
36 | */ | ||
37 | so = slirp->udp_last_so; | ||
38 | - if (so->so_lport != uh->uh_sport || | ||
39 | + if (so == &slirp->udb || so->so_lport != uh->uh_sport || | ||
40 | so->so_laddr.s_addr != ip->ip_src.s_addr) { | ||
41 | struct socket *tmp; | ||
42 | |||
43 | -- | ||
44 | 1.9.1 | ||
45 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_1.7.2.bb b/meta/recipes-devtools/qemu/qemu_1.7.2.bb index e2e0c86a06..60a7937219 100644 --- a/meta/recipes-devtools/qemu/qemu_1.7.2.bb +++ b/meta/recipes-devtools/qemu/qemu_1.7.2.bb | |||
@@ -6,7 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ | |||
6 | SRC_URI += "file://fxrstorssefix.patch \ | 6 | SRC_URI += "file://fxrstorssefix.patch \ |
7 | file://qemu-enlarge-env-entry-size.patch \ | 7 | file://qemu-enlarge-env-entry-size.patch \ |
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ | 8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ |
9 | file://ide-CVE-2014-2894.patch" | 9 | file://ide-CVE-2014-2894.patch \ |
10 | file://slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch" | ||
10 | 11 | ||
11 | SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" | 12 | SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" |
12 | SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43" | 13 | SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43" |