diff options
| author | Mark H Weaver <mhw@netris.org> | 2015-09-26 00:35:00 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2015-09-26 10:32:19 -0400 |
| commit | d2a633660983c12b00ef1489a73289b3871f905b (patch) | |
| tree | 29acdfe2b60119f9e28953241fe7c0afb9a1a91a /gnu/packages/patches/qemu-CVE-2015-3209.patch | |
| parent | e1556533d3e57950417b2e35a68e95c65fee5042 (diff) | |
gnu: qemu: Update to 2.4.0.1. Include fix for CVE-2015-6855.
* gnu/packages/patches/qemu-CVE-2015-3209.patch,
gnu/packages/patches/qemu-CVE-2015-4037.patch,
gnu/packages/patches/qemu-CVE-2015-4103.patch,
gnu/packages/patches/qemu-CVE-2015-4104.patch,
gnu/packages/patches/qemu-CVE-2015-4105.patch,
gnu/packages/patches/qemu-CVE-2015-4106-pt1.patch,
gnu/packages/patches/qemu-CVE-2015-4106-pt2.patch,
gnu/packages/patches/qemu-CVE-2015-4106-pt3.patch,
gnu/packages/patches/qemu-CVE-2015-4106-pt4.patch,
gnu/packages/patches/qemu-CVE-2015-4106-pt5.patch,
gnu/packages/patches/qemu-CVE-2015-4106-pt6.patch,
gnu/packages/patches/qemu-CVE-2015-4106-pt7.patch,
gnu/packages/patches/qemu-CVE-2015-4106-pt8.patch,
gnu/packages/patches/qemu-CVE-2015-5745.patch: Delete files.
* gnu/packages/patches/qemu-CVE-2015-6855.patch: New file.
* gnu-system.am (dist_patch_DATA): Add the new patch and delete the old ones.
* gnu/packages/qemu.scm (qemu-headless): Update to 2.4.0.1. Add the new patch
and delete the old ones.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2015-3209.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2015-3209.patch | 49 |
1 files changed, 0 insertions, 49 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2015-3209.patch b/gnu/packages/patches/qemu-CVE-2015-3209.patch deleted file mode 100644 index 0bb726698c..0000000000 --- a/gnu/packages/patches/qemu-CVE-2015-3209.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -[Fixed 3-space indentation to QEMU's 4-space coding standard. ---Stefan] - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reported-by: Matt Tait <matttait@google.com> -Reviewed-by: Peter Maydell <peter.maydell@linaro.org> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index bdfd38f..68b9981 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; --- -2.2.1 - |