1 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch b/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch
new file mode 100644
index 0000000000..7c653b6852
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch
@@ -0,0 +1,76 @@
+From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001
+From: P J P <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2015 16:40:49 +0530
+Subject: [PATCH] net: add checks to validate ring buffer
+ pointers(CVE-2015-5279)
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. While receiving packets
+via ne2000_receive() routine, a local 'index' variable
+could exceed the ring buffer size, which could lead to a
+memory buffer overflow. Added other checks at initialisation.
+CVE: CVE-2015-5279
+Upstream-Status: Backport
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: P J P <pjp@fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ hw/net/ne2000.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 3492db3..9278571 100644
+--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
+@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+     }
+ 
+     index = s->curpag << 8;
+    if (index >= NE2000_PMEM_END) {
+        index = s->start;
+    }
+     /* 4 bytes for header */
+     total_len = size + 4;
+     /* address for next packet (4 bytes for CRC) */
+@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+         offset = addr | (page << 4);
+         switch(offset) {
+         case EN0_STARTPG:
+-            s->start = val << 8;
+            if (val << 8 <= NE2000_PMEM_END) {
+                s->start = val << 8;
+            }
+             break;
+         case EN0_STOPPG:
+-            s->stop = val << 8;
+            if (val << 8 <= NE2000_PMEM_END) {
+                s->stop = val << 8;
+            }
+             break;
+         case EN0_BOUNDARY:
+-            s->boundary = val;
+            if (val << 8 < NE2000_PMEM_END) {
+                s->boundary = val;
+            }
+             break;
+         case EN0_IMR:
+             s->imr = val;
+@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+             s->phys[offset - EN1_PHYS] = val;
+             break;
+         case EN1_CURPAG:
+-            s->curpag = val;
+            if (val << 8 < NE2000_PMEM_END) {
+                s->curpag = val;
+            }
+             break;
+         case EN1_MULT ... EN1_MULT + 7:
+             s->mult[offset - EN1_MULT] = val;
+-- 
+1.9.1

diff --git a/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch b/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch new file mode 100644 index 0000000000..7c653b6852 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch
@@ -0,0 +1,76 @@
	1	From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001
	2	From: P J P <pjp@fedoraproject.org>
	3	Date: Tue, 15 Sep 2015 16:40:49 +0530
	4	Subject: [PATCH] net: add checks to validate ring buffer
	5	pointers(CVE-2015-5279)
	6
	7	Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
	8	bytes to process network packets. While receiving packets
	9	via ne2000_receive() routine, a local 'index' variable
	10	could exceed the ring buffer size, which could lead to a
	11	memory buffer overflow. Added other checks at initialisation.
	12
	13	CVE: CVE-2015-5279
	14	Upstream-Status: Backport
	15
	16	Reported-by: Qinghao Tang <luodalongde@gmail.com>
	17	Signed-off-by: P J P <pjp@fedoraproject.org>
	18	Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
	19	(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
	20	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
	21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	22	---
	23	hw/net/ne2000.c \| 19 +++++++++++++++----
	24	1 file changed, 15 insertions(+), 4 deletions(-)
	25
	26	diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
	27	index 3492db3..9278571 100644
	28	--- a/hw/net/ne2000.c
	29	+++ b/hw/net/ne2000.c
	30	@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState nc, const uint8_t buf, size_t size_)
	31	}
	32
	33	index = s->curpag << 8;
	34	+ if (index >= NE2000_PMEM_END) {
	35	+ index = s->start;
	36	+ }
	37	/* 4 bytes for header */
	38	total_len = size + 4;
	39	/* address for next packet (4 bytes for CRC) */
	40	@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
	41	offset = addr \| (page << 4);
	42	switch(offset) {
	43	case EN0_STARTPG:
	44	- s->start = val << 8;
	45	+ if (val << 8 <= NE2000_PMEM_END) {
	46	+ s->start = val << 8;
	47	+ }
	48	break;
	49	case EN0_STOPPG:
	50	- s->stop = val << 8;
	51	+ if (val << 8 <= NE2000_PMEM_END) {
	52	+ s->stop = val << 8;
	53	+ }
	54	break;
	55	case EN0_BOUNDARY:
	56	- s->boundary = val;
	57	+ if (val << 8 < NE2000_PMEM_END) {
	58	+ s->boundary = val;
	59	+ }
	60	break;
	61	case EN0_IMR:
	62	s->imr = val;
	63	@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
	64	s->phys[offset - EN1_PHYS] = val;
	65	break;
	66	case EN1_CURPAG:
	67	- s->curpag = val;
	68	+ if (val << 8 < NE2000_PMEM_END) {
	69	+ s->curpag = val;
	70	+ }
	71	break;
	72	case EN1_MULT ... EN1_MULT + 7:
	73	s->mult[offset - EN1_MULT] = val;
	74	--
	75	1.9.1
	76