[gentoo-commits] gentoo-x86 commit in app-emulation/qemu/files: qemu-2.3.0-CVE-2015-3209.patch

Fri, 12 Jun 2015 07:20:06 -0700 

vapier      15/06/12 14:19:29

  Added:                qemu-2.3.0-CVE-2015-3209.patch
  Log:
  Add fix from upstream for CVE-2015-3209 #551752 by Agostino Sarubbo.
  
  (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 
D2E96200)

Revision  Changes    Path
1.1                  app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch?rev=1.1&content-type=text/plain

Index: qemu-2.3.0-CVE-2015-3209.patch
===================================================================
https://bugs.gentoo.org/551752

>From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
From: Petr Matousek <[email protected]>
Date: Sun, 24 May 2015 10:53:44 +0200
Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx

4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.

Fix this by only allowing to queue maximum sizeof(buffer) bytes.

This is CVE-2015-3209.

[Fixed 3-space indentation to QEMU's 4-space coding standard.
--Stefan]

Signed-off-by: Petr Matousek <[email protected]>
Reported-by: Matt Tait <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Reviewed-by: Stefan Hajnoczi <[email protected]>
Signed-off-by: Stefan Hajnoczi <[email protected]>
---
 hw/net/pcnet.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index bdfd38f..68b9981 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
         }
 
         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+        /* if multi-tmd packet outsizes s->buffer then skip it silently.
+           Note: this is not what real hw does */
+        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+            s->xmit_pos = -1;
+            goto txdone;
+        }
+
         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
         s->xmit_pos += bcnt;
-- 
2.2.0.rc0.207.ga3a616c

Reply via email to