rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity

Accepting request 721580 from home:lyan:branches:Virtualization

Browse Source 
security fix for CVE-2019-14378

OBS-URL: https://build.opensuse.org/request/show/721580
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=485
This commit is contained in:
Bruce Rogers 2019-08-07 21:16:47 +00:00 committed by Git OBS Bridge
parent 3ca29aabb4
commit 55d58383b8
6 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
qemu-testsuite.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Aug 7 02:40:53 UTC 2019 - Liang Yan <lyan@suse.com>
- Security fix for heap overflow in ip_reass on big packet input
(CVE-2019-14378, bsc#1143794)
slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
-------------------------------------------------------------------
Tue Aug 6 14:45:35 UTC 2019 - Bruce Rogers <brogers@suse.com>

7
qemu-testsuite.spec
View File

@ -224,6 +224,9 @@ Patch1600: keycodemapdb-make-keycode-gen-output-reproducible.patch
# openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches)
# slirp - patch: slirp/ (patch range 1800-1899)
Patch1800: slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
# If for any reason we have any QEMU patches which are conditionally applied,
# "manually" include them here:
@ -1056,6 +1059,10 @@ popd
pushd roms/openbios
popd
pushd slirp/
%patch1800 -p1
popd
%if "%{name}" != "qemu-testsuite"
# delete the firmware files that we intend to build
for i in %built_firmware

7
qemu.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Aug 7 02:40:53 UTC 2019 - Liang Yan <lyan@suse.com>
- Security fix for heap overflow in ip_reass on big packet input
(CVE-2019-14378, bsc#1143794)
slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
-------------------------------------------------------------------
Tue Aug 6 14:45:35 UTC 2019 - Bruce Rogers <brogers@suse.com>

7
qemu.spec
View File

@ -224,6 +224,9 @@ Patch1600: keycodemapdb-make-keycode-gen-output-reproducible.patch
# openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches)
# slirp - patch: slirp/ (patch range 1800-1899)
Patch1800: slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
# If for any reason we have any QEMU patches which are conditionally applied,
# "manually" include them here:
@ -1056,6 +1059,10 @@ popd
pushd roms/openbios
popd
pushd slirp/
%patch1800 -p1
popd
%if "%{name}" != "qemu-testsuite"
# delete the firmware files that we intend to build
for i in %built_firmware

7
qemu.spec.in
View File

@ -171,6 +171,9 @@ Patch1600: keycodemapdb-make-keycode-gen-output-reproducible.patch
# openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches)
# slirp - patch: slirp/ (patch range 1800-1899)
Patch1800: slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
# If for any reason we have any QEMU patches which are conditionally applied,
# "manually" include them here:
@ -953,6 +956,10 @@ popd
pushd roms/openbios
popd
pushd slirp/
%patch1800 -p1
popd
%if "%{name}" != "qemu-testsuite"
# delete the firmware files that we intend to build
for i in %built_firmware

36
slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input.patch Normal file
View File

@ -0,0 +1,36 @@
From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sun, 28 Jul 2019 19:11:24 +0200
Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
[LY: CVE-2019-14378 BSC#1143794]
Signed-off-by: Liang Yan <lyan@suse.com>
---
src/ip_input.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/src/ip_input.c
+++ b/src/ip_input.c
@@ -331,6 +331,8 @@ insert:
q = fp->frag_link.next;
m = dtom(slirp, q);
+ int was_ext = m->m_flags & M_EXT;
+
q = (struct ipasfrag *) q->ipf_next;
while (q != (struct ipasfrag*)&fp->frag_link) {
struct mbuf *t = dtom(slirp, q);
@@ -353,7 +355,7 @@ insert:
* the old buffer (in the mbuf), so we must point ip
* into the new buffer.
*/
- if (m->m_flags & M_EXT) {
+ if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
q = (struct ipasfrag *)(m->m_ext + delta);
}