From 32c4e7044c0a00de9d1a10fc8db207c4fa34dbba Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Mon, 7 Dec 2015 22:11:31 -0500 Subject: app-emulation/qemu: add upstream security fixes #566792 #567144 --- .../qemu/files/qemu-2.4.1-CVE-2015-7504.patch | 49 ++++++++++++++++ .../qemu/files/qemu-2.4.1-CVE-2015-7512.patch | 37 ++++++++++++ .../qemu/files/qemu-2.4.1-CVE-2015-8345.patch | 65 ++++++++++++++++++++++ 3 files changed, 151 insertions(+) create mode 100644 app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7504.patch create mode 100644 app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7512.patch create mode 100644 app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8345.patch (limited to 'app-emulation/qemu/files') diff --git a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7504.patch b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7504.patch new file mode 100644 index 000000000000..e86e0c639893 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7504.patch @@ -0,0 +1,49 @@ +From 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 20 Nov 2015 11:50:31 +0530 +Subject: [PATCH] net: pcnet: add check to validate receive data + size(CVE-2015-7504) + +In loopback mode, pcnet_receive routine appends CRC code to the +receive buffer. If the data size given is same as the buffer size, +the appended CRC code overwrites 4 bytes after s->buffer. Added a +check to avoid that. + +Reported by: Qinghao Tang +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/pcnet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 0eb3cc4..309c40b 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + uint32_t fcs = ~0; + uint8_t *p = src; + +- while (p != &src[size-4]) ++ while (p != &src[size]) + CRC(fcs, *p++); + crc_err = (*(uint32_t *)p != htonl(fcs)); + } +@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s) + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); + + /* if multi-tmd packet outsizes s->buffer then skip it silently. +- Note: this is not what real hw does */ +- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ * Note: this is not what real hw does. ++ * Last four bytes of s->buffer are used to store CRC FCS code. ++ */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { + s->xmit_pos = -1; + goto txdone; + } +-- +2.6.2 + diff --git a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7512.patch b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7512.patch new file mode 100644 index 000000000000..4fee9ef5da9d --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7512.patch @@ -0,0 +1,37 @@ +From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 30 Nov 2015 15:00:06 +0800 +Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512) + +Backends could provide a packet whose length is greater than buffer +size. Check for this and truncate the packet to avoid rx buffer +overflow in this case. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- + hw/net/pcnet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 309c40b..1f4a3db 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + int pktcount = 0; + + if (!s->looptest) { ++ if (size > 4092) { ++#ifdef PCNET_DEBUG_RMD ++ fprintf(stderr, "pcnet: truncates rx packet.\n"); ++#endif ++ size = 4092; ++ } + memcpy(src, buf, size); + /* no need to compute the CRC */ + src[size] = 0; +-- +2.6.2 + diff --git a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8345.patch b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8345.patch new file mode 100644 index 000000000000..f01d9ac3418b --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8345.patch @@ -0,0 +1,65 @@ +https://bugs.gentoo.org/566792 + +From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001 +From: Stefan Weil +Date: Fri, 20 Nov 2015 08:42:33 +0100 +Subject: [PATCH] eepro100: Prevent two endless loops + +http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html +shows an example how an endless loop in function action_command can +be achieved. + +During my code review, I noticed a 2nd case which can result in an +endless loop. + +Reported-by: Qinghao Tang +Signed-off-by: Stefan Weil +Signed-off-by: Jason Wang +--- + hw/net/eepro100.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index 60333b7..685a478 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) + #if 0 + uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); + #endif ++ if (tx_buffer_size == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); ++ break; ++ } + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", +@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s) + + static void action_command(EEPRO100State *s) + { ++ /* The loop below won't stop if it gets special handcrafted data. ++ Therefore we limit the number of iterations. */ ++ unsigned max_loop_count = 16; ++ + for (;;) { + bool bit_el; + bool bit_s; +@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s) + #if 0 + bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); + #endif ++ ++ if (max_loop_count-- == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); ++ break; ++ } ++ + s->cu_offset = s->tx.link; + TRACE(OTHER, + logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", +-- +2.6.2 + -- cgit v1.2.3-65-gdbad