summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-05-02 07:33:26 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-05-03 14:06:17 (GMT)
commit3e666afc648543a2dd73c577569e34d0d8d996ff (patch)
tree0c7add932071a499677ef6d5943656af824cf6c8
parent128060b9853174f93dd4c45d4dc1b0acbe08388f (diff)
downloadpoky-3e666afc648543a2dd73c577569e34d0d8d996ff.tar.gz
qemu: net: CVE-2015-5279
Fixes heap overflow vulnerability in ne2000_receive() function. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5279 Reference to upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch76
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.4.0.bb1
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch b/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch
new file mode 100644
index 0000000..7c653b6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/net-CVE-2015-5279.patch
@@ -0,0 +1,76 @@
1From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001
2From: P J P <pjp@fedoraproject.org>
3Date: Tue, 15 Sep 2015 16:40:49 +0530
4Subject: [PATCH] net: add checks to validate ring buffer
5 pointers(CVE-2015-5279)
6
7Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
8bytes to process network packets. While receiving packets
9via ne2000_receive() routine, a local 'index' variable
10could exceed the ring buffer size, which could lead to a
11memory buffer overflow. Added other checks at initialisation.
12
13CVE: CVE-2015-5279
14Upstream-Status: Backport
15
16Reported-by: Qinghao Tang <luodalongde@gmail.com>
17Signed-off-by: P J P <pjp@fedoraproject.org>
18Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
19(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
20Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
21Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
22---
23 hw/net/ne2000.c | 19 +++++++++++++++----
24 1 file changed, 15 insertions(+), 4 deletions(-)
25
26diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
27index 3492db3..9278571 100644
28--- a/hw/net/ne2000.c
29+++ b/hw/net/ne2000.c
30@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
31 }
32
33 index = s->curpag << 8;
34+ if (index >= NE2000_PMEM_END) {
35+ index = s->start;
36+ }
37 /* 4 bytes for header */
38 total_len = size + 4;
39 /* address for next packet (4 bytes for CRC) */
40@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
41 offset = addr | (page << 4);
42 switch(offset) {
43 case EN0_STARTPG:
44- s->start = val << 8;
45+ if (val << 8 <= NE2000_PMEM_END) {
46+ s->start = val << 8;
47+ }
48 break;
49 case EN0_STOPPG:
50- s->stop = val << 8;
51+ if (val << 8 <= NE2000_PMEM_END) {
52+ s->stop = val << 8;
53+ }
54 break;
55 case EN0_BOUNDARY:
56- s->boundary = val;
57+ if (val << 8 < NE2000_PMEM_END) {
58+ s->boundary = val;
59+ }
60 break;
61 case EN0_IMR:
62 s->imr = val;
63@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
64 s->phys[offset - EN1_PHYS] = val;
65 break;
66 case EN1_CURPAG:
67- s->curpag = val;
68+ if (val << 8 < NE2000_PMEM_END) {
69+ s->curpag = val;
70+ }
71 break;
72 case EN1_MULT ... EN1_MULT + 7:
73 s->mult[offset - EN1_MULT] = val;
74--
751.9.1
76
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
index 9435d96..6c8d1b7 100644
--- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -22,6 +22,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
22 file://CVE-2016-2198.patch \ 22 file://CVE-2016-2198.patch \
23 file://vnc-CVE-2015-5225.patch \ 23 file://vnc-CVE-2015-5225.patch \
24 file://net-CVE-2015-5278.patch \ 24 file://net-CVE-2015-5278.patch \
25 file://net-CVE-2015-5279.patch \
25 " 26 "
26SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 27SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
27SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" 28SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"