gnu: qemu: Fix CVE-2017-{13711,14167}.
* gnu/packages/patches/qemu-CVE-2017-14167.patch gnu/packages/patches/qemu-CVE-2017-13711.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them.
This commit is contained in:
parent
94d671f673
commit
6a7bd25bf2
|
@ -978,6 +978,8 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
||||||
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
|
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
|
||||||
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
|
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-13711.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-14167.patch \
|
||||||
%D%/packages/patches/qt4-ldflags.patch \
|
%D%/packages/patches/qt4-ldflags.patch \
|
||||||
%D%/packages/patches/qtscript-disable-tests.patch \
|
%D%/packages/patches/qtscript-disable-tests.patch \
|
||||||
%D%/packages/patches/quagga-reproducible-build.patch \
|
%D%/packages/patches/quagga-reproducible-build.patch \
|
||||||
|
|
|
@ -0,0 +1,89 @@
|
||||||
|
Fix CVE-2017-13711:
|
||||||
|
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1201d308519f1e915866d7583d5136d03cc1d384
|
||||||
|
|
||||||
|
From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||||
|
Date: Fri, 25 Aug 2017 01:35:53 +0200
|
||||||
|
Subject: [PATCH] slirp: fix clearing ifq_so from pending packets
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The if_fastq and if_batchq contain not only packets, but queues of packets
|
||||||
|
for the same socket. When sofree frees a socket, it thus has to clear ifq_so
|
||||||
|
from all the packets from the queues, not only the first.
|
||||||
|
|
||||||
|
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||||
|
---
|
||||||
|
slirp/socket.c | 39 +++++++++++++++++++++++----------------
|
||||||
|
1 file changed, 23 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/slirp/socket.c b/slirp/socket.c
|
||||||
|
index ecec0295a9..cb7b5b608d 100644
|
||||||
|
--- a/slirp/socket.c
|
||||||
|
+++ b/slirp/socket.c
|
||||||
|
@@ -59,6 +59,27 @@ socreate(Slirp *slirp)
|
||||||
|
return(so);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Remove references to so from the given message queue.
|
||||||
|
+ */
|
||||||
|
+static void
|
||||||
|
+soqfree(struct socket *so, struct quehead *qh)
|
||||||
|
+{
|
||||||
|
+ struct mbuf *ifq;
|
||||||
|
+
|
||||||
|
+ for (ifq = (struct mbuf *) qh->qh_link;
|
||||||
|
+ (struct quehead *) ifq != qh;
|
||||||
|
+ ifq = ifq->ifq_next) {
|
||||||
|
+ if (ifq->ifq_so == so) {
|
||||||
|
+ struct mbuf *ifm;
|
||||||
|
+ ifq->ifq_so = NULL;
|
||||||
|
+ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) {
|
||||||
|
+ ifm->ifq_so = NULL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* remque and free a socket, clobber cache
|
||||||
|
*/
|
||||||
|
@@ -66,23 +87,9 @@ void
|
||||||
|
sofree(struct socket *so)
|
||||||
|
{
|
||||||
|
Slirp *slirp = so->slirp;
|
||||||
|
- struct mbuf *ifm;
|
||||||
|
|
||||||
|
- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link;
|
||||||
|
- (struct quehead *) ifm != &slirp->if_fastq;
|
||||||
|
- ifm = ifm->ifq_next) {
|
||||||
|
- if (ifm->ifq_so == so) {
|
||||||
|
- ifm->ifq_so = NULL;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link;
|
||||||
|
- (struct quehead *) ifm != &slirp->if_batchq;
|
||||||
|
- ifm = ifm->ifq_next) {
|
||||||
|
- if (ifm->ifq_so == so) {
|
||||||
|
- ifm->ifq_so = NULL;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ soqfree(so, &slirp->if_fastq);
|
||||||
|
+ soqfree(so, &slirp->if_batchq);
|
||||||
|
|
||||||
|
if (so->so_emu==EMU_RSH && so->extra) {
|
||||||
|
sofree(so->extra);
|
||||||
|
--
|
||||||
|
2.14.1
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
Fix CVE-2017-14167:
|
||||||
|
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167
|
||||||
|
http://seclists.org/oss-sec/2017/q3/407
|
||||||
|
|
||||||
|
Patch copied from upstream development mailing list:
|
||||||
|
|
||||||
|
https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html
|
||||||
|
|
||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
While loading kernel via multiboot-v1 image, (flags & 0x00010000)
|
||||||
|
indicates that multiboot header contains valid addresses to load
|
||||||
|
the kernel image. These addresses are used to compute kernel
|
||||||
|
size and kernel text offset in the OS image. Validate these
|
||||||
|
address values to avoid an OOB access issue.
|
||||||
|
|
||||||
|
This is CVE-2017-14167.
|
||||||
|
|
||||||
|
Reported-by: Thomas Garnier <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/i386/multiboot.c | 19 +++++++++++++++++++
|
||||||
|
1 file changed, 19 insertions(+)
|
||||||
|
|
||||||
|
Update: add CVE-ID to the commit message.
|
||||||
|
|
||||||
|
diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
|
||||||
|
index 6001f4caa2..c7b70c91d5 100644
|
||||||
|
--- a/hw/i386/multiboot.c
|
||||||
|
+++ b/hw/i386/multiboot.c
|
||||||
|
@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
|
||||||
|
uint32_t mh_header_addr = ldl_p(header+i+12);
|
||||||
|
uint32_t mh_load_end_addr = ldl_p(header+i+20);
|
||||||
|
uint32_t mh_bss_end_addr = ldl_p(header+i+24);
|
||||||
|
+
|
||||||
|
mh_load_addr = ldl_p(header+i+16);
|
||||||
|
+ if (mh_header_addr < mh_load_addr) {
|
||||||
|
+ fprintf(stderr, "invalid mh_load_addr address\n");
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
|
||||||
|
uint32_t mb_load_size = 0;
|
||||||
|
mh_entry_addr = ldl_p(header+i+28);
|
||||||
|
|
||||||
|
if (mh_load_end_addr) {
|
||||||
|
+ if (mh_bss_end_addr < mh_load_addr) {
|
||||||
|
+ fprintf(stderr, "invalid mh_bss_end_addr address\n");
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
mb_kernel_size = mh_bss_end_addr - mh_load_addr;
|
||||||
|
+
|
||||||
|
+ if (mh_load_end_addr < mh_load_addr) {
|
||||||
|
+ fprintf(stderr, "invalid mh_load_end_addr address\n");
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
mb_load_size = mh_load_end_addr - mh_load_addr;
|
||||||
|
} else {
|
||||||
|
+ if (kernel_file_size < mb_kernel_text_offset) {
|
||||||
|
+ fprintf(stderr, "invalid kernel_file_size\n");
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
|
||||||
|
mb_load_size = mb_kernel_size;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.13.5
|
||||||
|
|
|
@ -77,6 +77,8 @@
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "https://download.qemu.org/qemu-"
|
(uri (string-append "https://download.qemu.org/qemu-"
|
||||||
version ".tar.xz"))
|
version ".tar.xz"))
|
||||||
|
(patches (search-patches "qemu-CVE-2017-13711.patch"
|
||||||
|
"qemu-CVE-2017-14167.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"0dgk7zcni41nf1jp84y0m6dk2nb4frnh571m8hkiv0m4hz4imn2m"))))
|
"0dgk7zcni41nf1jp84y0m6dk2nb4frnh571m8hkiv0m4hz4imn2m"))))
|
||||||
|
|
Loading…
Reference in New Issue