qemu: fix CVE-2015-3209

Backport patch to fix CVE-2015-3209. http://git.qemu.org/?p=qemu.git;a=commit;h=9f7c594 (From OE-Core master rev: ea85f36ad438353f5a8e64292dd27f457f1f665c) (From OE-Core rev: d8d68c4a630dc9d802e159f0ffe768e52bea5401) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2015-07-07 17:43:02 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-09-01 21:19:41 +0100
commit: e232ad758a0eb0b16c304d4694b0a217cf4da3b8 (patch)
tree: e3a71675f033b005fb9ede779493ce319bb7ea80 /meta
parent: 328d35b53db61c86717c68cc564a790ccfa2956c (diff)
download: poky-e232ad758a0eb0b16c304d4694b0a217cf4da3b8.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch
new file mode 100644
index 0000000000..d2dbb94e0a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch
@@ -0,0 +1,53 @@
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Sun, 24 May 2015 10:53:44 +0200
+Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
+4096 is the maximum length per TMD and it is also currently the size of
+the relay buffer pcnet driver uses for sending the packet data to QEMU
+for further processing. With packet spanning multiple TMDs it can
+happen that the overall packet size will be bigger than sizeof(buffer),
+which results in memory corruption.
+Fix this by only allowing to queue maximum sizeof(buffer) bytes.
+This is CVE-2015-3209.
+[Fixed 3-space indentation to QEMU's 4-space coding standard.
+--Stefan]
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reported-by: Matt Tait <matttait@google.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/net/pcnet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index bdfd38f..68b9981 100644
+--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
+@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
+         }
+ 
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+        /* if multi-tmd packet outsizes s->buffer then skip it silently.
+           Note: this is not what real hw does */
+        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+            s->xmit_pos = -1;
+            goto txdone;
+        }
+
+         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+         s->xmit_pos += bcnt;
+-- 
+2.4.1
diff --git a/meta/recipes-devtools/qemu/qemu_2.2.0.bb b/meta/recipes-devtools/qemu/qemu_2.2.0.bb
index 54dd7cbf51..4c6880be45 100644
--- a/meta/recipes-devtools/qemu/qemu_2.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.2.0.bb
@@ -19,6 +19,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \
            file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \
            file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \
+            file://qemu-fix-CVE-2015-3209.patch \
           "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8"
author	Kai Kang <kai.kang@windriver.com>	2015-07-07 17:43:02 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-09-01 21:19:41 +0100
commit	e232ad758a0eb0b16c304d4694b0a217cf4da3b8 (patch)
tree	e3a71675f033b005fb9ede779493ce319bb7ea80 /meta
parent	328d35b53db61c86717c68cc564a790ccfa2956c (diff)
download	poky-e232ad758a0eb0b16c304d4694b0a217cf4da3b8.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch new file mode 100644 index 0000000000..d2dbb94e0a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch
@@ -0,0 +1,53 @@
		1	Upstream-Status: Backport
		2
		3	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		4
		5	From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
		6	From: Petr Matousek <pmatouse@redhat.com>
		7	Date: Sun, 24 May 2015 10:53:44 +0200
		8	Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
		9
		10	4096 is the maximum length per TMD and it is also currently the size of
		11	the relay buffer pcnet driver uses for sending the packet data to QEMU
		12	for further processing. With packet spanning multiple TMDs it can
		13	happen that the overall packet size will be bigger than sizeof(buffer),
		14	which results in memory corruption.
		15
		16	Fix this by only allowing to queue maximum sizeof(buffer) bytes.
		17
		18	This is CVE-2015-3209.
		19
		20	[Fixed 3-space indentation to QEMU's 4-space coding standard.
		21	--Stefan]
		22
		23	Signed-off-by: Petr Matousek <pmatouse@redhat.com>
		24	Reported-by: Matt Tait <matttait@google.com>
		25	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
		26	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
		27	Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
		28	---
		29	hw/net/pcnet.c \| 8 ++++++++
		30	1 file changed, 8 insertions(+)
		31
		32	diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
		33	index bdfd38f..68b9981 100644
		34	--- a/hw/net/pcnet.c
		35	+++ b/hw/net/pcnet.c
		36	@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
		37	}
		38
		39	bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
		40	+
		41	+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
		42	+ Note: this is not what real hw does */
		43	+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
		44	+ s->xmit_pos = -1;
		45	+ goto txdone;
		46	+ }
		47	+
		48	s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
		49	s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
		50	s->xmit_pos += bcnt;
		51	--
		52	2.4.1
		53


diff --git a/meta/recipes-devtools/qemu/qemu_2.2.0.bb b/meta/recipes-devtools/qemu/qemu_2.2.0.bb index 54dd7cbf51..4c6880be45 100644 --- a/meta/recipes-devtools/qemu/qemu_2.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.2.0.bb
@@ -19,6 +19,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
19	file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \	19	file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \
20	file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \	20	file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \
21	file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \	21	file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \
		22	file://qemu-fix-CVE-2015-3209.patch \
22	"	23	"
23	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	24	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
24	SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8"	25	SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8"