From 3e666afc648543a2dd73c577569e34d0d8d996ff Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 2 May 2016 09:33:26 +0200 Subject: qemu: net: CVE-2015-5279 Fixes heap overflow vulnerability in ne2000_receive() function. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5279 Reference to upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../qemu/qemu/net-CVE-2015-5279.patch | 76 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.4.0.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch diff --git a/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch b/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch new file mode 100644 index 0000000000..7c653b6852 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch @@ -0,0 +1,76 @@ +From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Tue, 15 Sep 2015 16:40:49 +0530 +Subject: [PATCH] net: add checks to validate ring buffer + pointers(CVE-2015-5279) + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. While receiving packets +via ne2000_receive() routine, a local 'index' variable +could exceed the ring buffer size, which could lead to a +memory buffer overflow. Added other checks at initialisation. + +CVE: CVE-2015-5279 +Upstream-Status: Backport + +Reported-by: Qinghao Tang +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4) +Signed-off-by: Michael Roth +Signed-off-by: Sona Sarmadi +--- + hw/net/ne2000.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 3492db3..9278571 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + } + + index = s->curpag << 8; ++ if (index >= NE2000_PMEM_END) { ++ index = s->start; ++ } + /* 4 bytes for header */ + total_len = size + 4; + /* address for next packet (4 bytes for CRC) */ +@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + offset = addr | (page << 4); + switch(offset) { + case EN0_STARTPG: +- s->start = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->start = val << 8; ++ } + break; + case EN0_STOPPG: +- s->stop = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->stop = val << 8; ++ } + break; + case EN0_BOUNDARY: +- s->boundary = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->boundary = val; ++ } + break; + case EN0_IMR: + s->imr = val; +@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + s->phys[offset - EN1_PHYS] = val; + break; + case EN1_CURPAG: +- s->curpag = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->curpag = val; ++ } + break; + case EN1_MULT ... EN1_MULT + 7: + s->mult[offset - EN1_MULT] = val; +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb index 9435d969f5..6c8d1b78dd 100644 --- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb @@ -22,6 +22,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://CVE-2016-2198.patch \ file://vnc-CVE-2015-5225.patch \ file://net-CVE-2015-5278.patch \ + file://net-CVE-2015-5279.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" -- cgit v1.2.3-54-g00ecf