diff options
| author |   Armin Kuster <akuster@mvista.com> | 2016-02-06 15:14:52 -0800 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-07 17:20:58 +0000 |
| commit | 90d2a8eb0853f506a457e9935f4354c71d2fc9c9 (patch) | |
| tree | 8f859c71c9eb714ba7863fdf29f5e29863ea852e | |
| parent | 10752d6beb5520ec0fc83a7d0173e10144b11685 (diff) | |
| download | openembedded-core-contrib-90d2a8eb0853f506a457e9935f4354c71d2fc9c9.tar.gz | |
qemu: Security fix CVE-2015-7512
CVE-2015-7512 Qemu: net: pcnet: buffer overflow in non-loopback mod
(From OE-Core rev: e6e9be51f77c9531f49cebe0ca6b495c23cf022d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch | 44 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.2.0.bb | 1 |
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch new file mode 100644 index 0000000000..9b4cf1456f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch @@ -0,0 +1,44 @@ +From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Mon, 30 Nov 2015 15:00:06 +0800 +Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512) + +Backends could provide a packet whose length is greater than buffer +size. Check for this and truncate the packet to avoid rx buffer +overflow in this case. + +Cc: Prasad J Pandit <pjp@fedoraproject.org> +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upsteam_Status: Backport + +http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343 + +CVE: CVE-2015-7512 +[Yocto # 9013] + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/net/pcnet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: qemu-2.2.0/hw/net/pcnet.c +=================================================================== +--- qemu-2.2.0.orig/hw/net/pcnet.c ++++ qemu-2.2.0/hw/net/pcnet.c +@@ -1086,6 +1086,12 @@ ssize_t pcnet_receive(NetClientState *nc + int pktcount = 0; + + if (!s->looptest) { ++ if (size > 4092) { ++#ifdef PCNET_DEBUG_RMD ++ fprintf(stderr, "pcnet: truncates rx packet.\n"); ++#endif ++ size = 4092; ++ } + memcpy(src, buf, size); + /* no need to compute the CRC */ + src[size] = 0; diff --git a/meta/recipes-devtools/qemu/qemu_2.2.0.bb b/meta/recipes-devtools/qemu/qemu_2.2.0.bb index bb27034606..950917e66a 100644 --- a/meta/recipes-devtools/qemu/qemu_2.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.2.0.bb @@ -22,6 +22,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://qemu-fix-CVE-2015-3209.patch \ file://CVE-2015-8504.patch \ file://CVE-2015-7504.patch \ + file://CVE-2015-7512.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8" |