[OE-core] [PATCH 1/1] qemu: fix CVE-2015-5279

Hongxu Jia hongxu.jia at windriver.com
Fri Nov 13 02:08:31 UTC 2015


Backport from upstream and cherry picked the commit
http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
 .../qemu/qemu/qemu-CVE-2015-5279.patch             | 78 ++++++++++++++++++++++
 meta/recipes-devtools/qemu/qemu_2.4.0.bb           |  1 +
 2 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-5279.patch

diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-5279.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-5279.patch
new file mode 100644
index 0000000..7d6eccd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-5279.patch
@@ -0,0 +1,78 @@
+From 7e299c93b27902bd37c86b80cb00e0f030e9ef37 Mon Sep 17 00:00:00 2001
+From: P J P <pjp at fedoraproject.org>
+Date: Tue, 15 Sep 2015 16:40:49 +0530
+Subject: [PATCH] net: add checks to validate ring buffer
+ pointers(CVE-2015-5279)
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. While receiving packets
+via ne2000_receive() routine, a local 'index' variable
+could exceed the ring buffer size, which could lead to a
+memory buffer overflow. Added other checks at initialisation.
+
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Signed-off-by: P J P <pjp at fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
+Signed-off-by: Michael Roth <mdroth at linux.vnet.ibm.com>
+
+Upstream-Status: Backport [cherry picked from commit
+http://git.qemu.org/?p=qemu.git;a=patch;
+h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755]
+
+Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+---
+ hw/net/ne2000.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 3492db3..9278571 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+     }
+ 
+     index = s->curpag << 8;
++    if (index >= NE2000_PMEM_END) {
++        index = s->start;
++    }
+     /* 4 bytes for header */
+     total_len = size + 4;
+     /* address for next packet (4 bytes for CRC) */
+@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+         offset = addr | (page << 4);
+         switch(offset) {
+         case EN0_STARTPG:
+-            s->start = val << 8;
++            if (val << 8 <= NE2000_PMEM_END) {
++                s->start = val << 8;
++            }
+             break;
+         case EN0_STOPPG:
+-            s->stop = val << 8;
++            if (val << 8 <= NE2000_PMEM_END) {
++                s->stop = val << 8;
++            }
+             break;
+         case EN0_BOUNDARY:
+-            s->boundary = val;
++            if (val << 8 < NE2000_PMEM_END) {
++                s->boundary = val;
++            }
+             break;
+         case EN0_IMR:
+             s->imr = val;
+@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+             s->phys[offset - EN1_PHYS] = val;
+             break;
+         case EN1_CURPAG:
+-            s->curpag = val;
++            if (val << 8 < NE2000_PMEM_END) {
++                s->curpag = val;
++            }
+             break;
+         case EN1_MULT ... EN1_MULT + 7:
+             s->mult[offset - EN1_MULT] = val;
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
index 1505b80..b3ae48b 100644
--- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://smc91c111_fix2.patch \
             file://smc91c111_fix3.patch \
             file://no-valgrind.patch \
+            file://qemu-CVE-2015-5279.patch \
            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"
-- 
1.9.1




More information about the Openembedded-core mailing list