diff options
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch | 53 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.3.0.bb | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch new file mode 100644 index 0000000000..d2dbb94e0a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-fix-CVE-2015-3209.patch | |||
| @@ -0,0 +1,53 @@ | |||
| 1 | Upstream-Status: Backport | ||
| 2 | |||
| 3 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
| 4 | |||
| 5 | From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 | ||
| 6 | From: Petr Matousek <pmatouse@redhat.com> | ||
| 7 | Date: Sun, 24 May 2015 10:53:44 +0200 | ||
| 8 | Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx | ||
| 9 | |||
| 10 | 4096 is the maximum length per TMD and it is also currently the size of | ||
| 11 | the relay buffer pcnet driver uses for sending the packet data to QEMU | ||
| 12 | for further processing. With packet spanning multiple TMDs it can | ||
| 13 | happen that the overall packet size will be bigger than sizeof(buffer), | ||
| 14 | which results in memory corruption. | ||
| 15 | |||
| 16 | Fix this by only allowing to queue maximum sizeof(buffer) bytes. | ||
| 17 | |||
| 18 | This is CVE-2015-3209. | ||
| 19 | |||
| 20 | [Fixed 3-space indentation to QEMU's 4-space coding standard. | ||
| 21 | --Stefan] | ||
| 22 | |||
| 23 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
| 24 | Reported-by: Matt Tait <matttait@google.com> | ||
| 25 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 26 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
| 27 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
| 28 | --- | ||
| 29 | hw/net/pcnet.c | 8 ++++++++ | ||
| 30 | 1 file changed, 8 insertions(+) | ||
| 31 | |||
| 32 | diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c | ||
| 33 | index bdfd38f..68b9981 100644 | ||
| 34 | --- a/hw/net/pcnet.c | ||
| 35 | +++ b/hw/net/pcnet.c | ||
| 36 | @@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) | ||
| 37 | } | ||
| 38 | |||
| 39 | bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); | ||
| 40 | + | ||
| 41 | + /* if multi-tmd packet outsizes s->buffer then skip it silently. | ||
| 42 | + Note: this is not what real hw does */ | ||
| 43 | + if (s->xmit_pos + bcnt > sizeof(s->buffer)) { | ||
| 44 | + s->xmit_pos = -1; | ||
| 45 | + goto txdone; | ||
| 46 | + } | ||
| 47 | + | ||
| 48 | s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), | ||
| 49 | s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); | ||
| 50 | s->xmit_pos += bcnt; | ||
| 51 | -- | ||
| 52 | 2.4.1 | ||
| 53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb index ec1b101998..cae0ad123a 100644 --- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb | |||
| @@ -18,6 +18,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
| 18 | file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \ | 18 | file://09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch \ |
| 19 | file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \ | 19 | file://10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch \ |
| 20 | file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \ | 20 | file://11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch \ |
| 21 | file://qemu-fix-CVE-2015-3209.patch \ | ||
| 21 | " | 22 | " |
| 22 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 23 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
| 23 | SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221" | 24 | SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221" |