From 55d58383b869061536d7293be5e550832f7412f1eadb4e32e57e351e864bc5ea Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Wed, 7 Aug 2019 21:16:47 +0000 Subject: [PATCH] Accepting request 721580 from home:lyan:branches:Virtualization security fix for CVE-2019-14378 OBS-URL: https://build.opensuse.org/request/show/721580 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=485 --- qemu-testsuite.changes | 7 ++++ qemu-testsuite.spec | 7 ++++ qemu.changes | 7 ++++ qemu.spec | 7 ++++ qemu.spec.in | 7 ++++ ...flow-in-ip_reass-on-big-packet-input.patch | 36 +++++++++++++++++++ 6 files changed, 71 insertions(+) create mode 100644 slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 3f717015..0c76da87 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Aug 7 02:40:53 UTC 2019 - Liang Yan + +- Security fix for heap overflow in ip_reass on big packet input + (CVE-2019-14378, bsc#1143794) + slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch + ------------------------------------------------------------------- Tue Aug 6 14:45:35 UTC 2019 - Bruce Rogers diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 07cc109f..99f61900 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -224,6 +224,9 @@ Patch1600: keycodemapdb-make-keycode-gen-output-reproducible.patch # openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches) +# slirp - patch: slirp/ (patch range 1800-1899) +Patch1800: slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch + # If for any reason we have any QEMU patches which are conditionally applied, # "manually" include them here: @@ -1056,6 +1059,10 @@ popd pushd roms/openbios popd +pushd slirp/ +%patch1800 -p1 +popd + %if "%{name}" != "qemu-testsuite" # delete the firmware files that we intend to build for i in %built_firmware diff --git a/qemu.changes b/qemu.changes index 3f717015..0c76da87 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Aug 7 02:40:53 UTC 2019 - Liang Yan + +- Security fix for heap overflow in ip_reass on big packet input + (CVE-2019-14378, bsc#1143794) + slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch + ------------------------------------------------------------------- Tue Aug 6 14:45:35 UTC 2019 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 084c115d..7da46391 100644 --- a/qemu.spec +++ b/qemu.spec @@ -224,6 +224,9 @@ Patch1600: keycodemapdb-make-keycode-gen-output-reproducible.patch # openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches) +# slirp - patch: slirp/ (patch range 1800-1899) +Patch1800: slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch + # If for any reason we have any QEMU patches which are conditionally applied, # "manually" include them here: @@ -1056,6 +1059,10 @@ popd pushd roms/openbios popd +pushd slirp/ +%patch1800 -p1 +popd + %if "%{name}" != "qemu-testsuite" # delete the firmware files that we intend to build for i in %built_firmware diff --git a/qemu.spec.in b/qemu.spec.in index c84c93fc..f5ada61c 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -171,6 +171,9 @@ Patch1600: keycodemapdb-make-keycode-gen-output-reproducible.patch # openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches) +# slirp - patch: slirp/ (patch range 1800-1899) +Patch1800: slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch + # If for any reason we have any QEMU patches which are conditionally applied, # "manually" include them here: @@ -953,6 +956,10 @@ popd pushd roms/openbios popd +pushd slirp/ +%patch1800 -p1 +popd + %if "%{name}" != "qemu-testsuite" # delete the firmware files that we intend to build for i in %built_firmware diff --git a/slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch b/slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch new file mode 100644 index 00000000..b16be8cb --- /dev/null +++ b/slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch @@ -0,0 +1,36 @@ +From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Sun, 28 Jul 2019 19:11:24 +0200 +Subject: [PATCH] Fix heap overflow in ip_reass on big packet input + +When the first fragment does not fit in the preallocated buffer, q will +already be pointing to the ext buffer, so we mustn't try to update it. + +Signed-off-by: Samuel Thibault +(cherry picked from commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210) +[LY: CVE-2019-14378 BSC#1143794] +Signed-off-by: Liang Yan +--- + src/ip_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/src/ip_input.c ++++ b/src/ip_input.c +@@ -331,6 +331,8 @@ insert: + q = fp->frag_link.next; + m = dtom(slirp, q); + ++ int was_ext = m->m_flags & M_EXT; ++ + q = (struct ipasfrag *) q->ipf_next; + while (q != (struct ipasfrag*)&fp->frag_link) { + struct mbuf *t = dtom(slirp, q); +@@ -353,7 +355,7 @@ insert: + * the old buffer (in the mbuf), so we must point ip + * into the new buffer. + */ +- if (m->m_flags & M_EXT) { ++ if (!was_ext && m->m_flags & M_EXT) { + int delta = (char *)q - m->m_dat; + q = (struct ipasfrag *)(m->m_ext + delta); + }