From 7fbffc1697b488988980af7e322f071cb8d1eea8 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Aug 11 2015 22:42:10 +0000 Subject: Rebased to version 2.3.1 --- diff --git a/0001-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch b/0001-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch deleted file mode 100644 index 80cc267..0000000 --- a/0001-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Petr Matousek -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated - buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek -Reviewed-by: John Snow -Signed-off-by: John Snow -(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c) ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index 2bf87c9..a9de4ab 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command diff --git a/0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch b/0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch new file mode 100644 index 0000000..fb36234 --- /dev/null +++ b/0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch @@ -0,0 +1,50 @@ +From: Michael Tokarev +Date: Thu, 28 May 2015 14:12:26 +0300 +Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb + config (CVE-2015-4037) + +In this version I used mkdtemp(3) which is: + + _BSD_SOURCE + || /* Since glibc 2.10: */ + (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700) + +(POSIX.1-2008), so should be available on systems we care about. + +While at it, reset the resulting directory name within smb structure +on error so cleanup function wont try to remove directory which we +failed to create. + +Signed-off-by: Michael Tokarev +Reviewed-by: Markus Armbruster +(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3) +--- + net/slirp.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/slirp.c b/net/slirp.c +index 9bbed74..3090c10 100644 +--- a/net/slirp.c ++++ b/net/slirp.c +@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s) + static int slirp_smb(SlirpState* s, const char *exported_dir, + struct in_addr vserver_addr) + { +- static int instance; + char smb_conf[128]; + char smb_cmdline[128]; + struct passwd *passwd; +@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir, + return -1; + } + +- snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", +- (long)getpid(), instance++); +- if (mkdir(s->smb_dir, 0700) < 0) { ++ snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX"); ++ if (!mkdtemp(s->smb_dir)) { + error_report("could not create samba server dir '%s'", s->smb_dir); ++ s->smb_dir[0] = 0; + return -1; + } + snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf"); diff --git a/0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch b/0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch new file mode 100644 index 0000000..23300f5 --- /dev/null +++ b/0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch @@ -0,0 +1,54 @@ +From: =?UTF-8?q?Jind=C5=99ich=20Makovi=C4=8Dka?= +Date: Wed, 24 Jun 2015 07:05:25 +0200 +Subject: [PATCH] qcow2: Handle EAGAIN returned from update_refcount +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes a crash during image compression + +Signed-off-by: Jindřich Makovička +Tested-by: Richard W.M. Jones +Reviewed-by: Max Reitz +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 3e5feb6202149e8a963a33b911216e40d790f1d7) +--- + block/qcow2-refcount.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c +index 63c0085..d4f3351 100644 +--- a/block/qcow2-refcount.c ++++ b/block/qcow2-refcount.c +@@ -954,19 +954,21 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size) + } + + free_in_cluster = s->cluster_size - offset_into_cluster(s, offset); +- if (!offset || free_in_cluster < size) { +- int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size); +- if (new_cluster < 0) { +- return new_cluster; +- } ++ do { ++ if (!offset || free_in_cluster < size) { ++ int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size); ++ if (new_cluster < 0) { ++ return new_cluster; ++ } + +- if (!offset || ROUND_UP(offset, s->cluster_size) != new_cluster) { +- offset = new_cluster; ++ if (!offset || ROUND_UP(offset, s->cluster_size) != new_cluster) { ++ offset = new_cluster; ++ } + } +- } + +- assert(offset); +- ret = update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_NEVER); ++ assert(offset); ++ ret = update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_NEVER); ++ } while (ret == -EAGAIN); + if (ret < 0) { + return ret; + } diff --git a/0002-slirp-use-less-predictable-directory-name-in-tmp-for.patch b/0002-slirp-use-less-predictable-directory-name-in-tmp-for.patch deleted file mode 100644 index fb36234..0000000 --- a/0002-slirp-use-less-predictable-directory-name-in-tmp-for.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Michael Tokarev -Date: Thu, 28 May 2015 14:12:26 +0300 -Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb - config (CVE-2015-4037) - -In this version I used mkdtemp(3) which is: - - _BSD_SOURCE - || /* Since glibc 2.10: */ - (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700) - -(POSIX.1-2008), so should be available on systems we care about. - -While at it, reset the resulting directory name within smb structure -on error so cleanup function wont try to remove directory which we -failed to create. - -Signed-off-by: Michael Tokarev -Reviewed-by: Markus Armbruster -(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3) ---- - net/slirp.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/net/slirp.c b/net/slirp.c -index 9bbed74..3090c10 100644 ---- a/net/slirp.c -+++ b/net/slirp.c -@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s) - static int slirp_smb(SlirpState* s, const char *exported_dir, - struct in_addr vserver_addr) - { -- static int instance; - char smb_conf[128]; - char smb_cmdline[128]; - struct passwd *passwd; -@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir, - return -1; - } - -- snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", -- (long)getpid(), instance++); -- if (mkdir(s->smb_dir, 0700) < 0) { -+ snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX"); -+ if (!mkdtemp(s->smb_dir)) { - error_report("could not create samba server dir '%s'", s->smb_dir); -+ s->smb_dir[0] = 0; - return -1; - } - snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf"); diff --git a/0003-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch b/0003-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch deleted file mode 100644 index 57724cc..0000000 --- a/0003-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: =?UTF-8?q?Jind=C5=99ich=20Makovi=C4=8Dka?= -Date: Wed, 24 Jun 2015 07:05:25 +0200 -Subject: [PATCH] qcow2: Handle EAGAIN returned from update_refcount -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes a crash during image compression - -Signed-off-by: Jindřich Makovička -Tested-by: Richard W.M. Jones -Reviewed-by: Max Reitz -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 3e5feb6202149e8a963a33b911216e40d790f1d7) ---- - block/qcow2-refcount.c | 22 ++++++++++++---------- - 1 file changed, 12 insertions(+), 10 deletions(-) - -diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c -index 6cbae1d..6b83b3e 100644 ---- a/block/qcow2-refcount.c -+++ b/block/qcow2-refcount.c -@@ -949,19 +949,21 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size) - } - - free_in_cluster = s->cluster_size - offset_into_cluster(s, offset); -- if (!offset || free_in_cluster < size) { -- int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size); -- if (new_cluster < 0) { -- return new_cluster; -- } -+ do { -+ if (!offset || free_in_cluster < size) { -+ int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size); -+ if (new_cluster < 0) { -+ return new_cluster; -+ } - -- if (!offset || ROUND_UP(offset, s->cluster_size) != new_cluster) { -- offset = new_cluster; -+ if (!offset || ROUND_UP(offset, s->cluster_size) != new_cluster) { -+ offset = new_cluster; -+ } - } -- } - -- assert(offset); -- ret = update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_NEVER); -+ assert(offset); -+ ret = update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_NEVER); -+ } while (ret == -EAGAIN); - if (ret < 0) { - return ret; - } diff --git a/0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch b/0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch new file mode 100644 index 0000000..ff56396 --- /dev/null +++ b/0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch @@ -0,0 +1,41 @@ +From: Kevin Wolf +Date: Tue, 9 Jun 2015 10:45:16 +0200 +Subject: [PATCH] raw-posix: Fix .bdrv_co_get_block_status() for unaligned + image size + +Image files with an unaligned image size have a final hole that starts +at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is +returned when checking the status of this sector. In qemu-img, this +triggers an assertion failure. + +In order to fix this, one type for the sector that contains EOF must be +found. Treating a hole as data is safe, so this patch rounds the +calculated number of data sectors up, so that a partial sector at EOF is +treated as a full data sector. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394 + +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Tested-by: Cole Robinson +(cherry picked from commit b8684454e152ca2e100f4b59d80de2be27186206) +--- + block/raw-posix.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/raw-posix.c b/block/raw-posix.c +index 24d8582..88f0462 100644 +--- a/block/raw-posix.c ++++ b/block/raw-posix.c +@@ -1846,8 +1846,9 @@ static int64_t coroutine_fn raw_co_get_block_status(BlockDriverState *bs, + *pnum = nb_sectors; + ret = BDRV_BLOCK_DATA; + } else if (data == start) { +- /* On a data extent, compute sectors to the end of the extent. */ +- *pnum = MIN(nb_sectors, (hole - start) / BDRV_SECTOR_SIZE); ++ /* On a data extent, compute sectors to the end of the extent, ++ * possibly including a partial sector at EOF. */ ++ *pnum = MIN(nb_sectors, DIV_ROUND_UP(hole - start, BDRV_SECTOR_SIZE)); + ret = BDRV_BLOCK_DATA; + } else { + /* On a hole, compute sectors to the beginning of the next extent. */ diff --git a/0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch b/0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch new file mode 100644 index 0000000..7bef815 --- /dev/null +++ b/0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch @@ -0,0 +1,46 @@ +From: Petr Matousek +Date: Sun, 24 May 2015 10:53:44 +0200 +Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx + +4096 is the maximum length per TMD and it is also currently the size of +the relay buffer pcnet driver uses for sending the packet data to QEMU +for further processing. With packet spanning multiple TMDs it can +happen that the overall packet size will be bigger than sizeof(buffer), +which results in memory corruption. + +Fix this by only allowing to queue maximum sizeof(buffer) bytes. + +This is CVE-2015-3209. + +[Fixed 3-space indentation to QEMU's 4-space coding standard. +--Stefan] + +Signed-off-by: Petr Matousek +Reported-by: Matt Tait +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 9f7c594c006289ad41169b854d70f5da6e400a2a) +--- + hw/net/pcnet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index bdfd38f..68b9981 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; diff --git a/0004-spice-display-fix-segfault-in-qemu_spice_create_upda.patch b/0004-spice-display-fix-segfault-in-qemu_spice_create_upda.patch deleted file mode 100644 index 922111d..0000000 --- a/0004-spice-display-fix-segfault-in-qemu_spice_create_upda.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Gerd Hoffmann -Date: Tue, 9 Jun 2015 21:08:47 +0200 -Subject: [PATCH] spice-display: fix segfault in qemu_spice_create_update - -Although it is pretty unusual the stride for the guest image and the -mirror image maintained by spice-display can be different. So use -separate variables for them. - -https://bugzilla.redhat.com/show_bug.cgi?id=1163047 - -Cc: qemu-stable@nongnu.org -Reported-by: perrier vincent -Signed-off-by: Gerd Hoffmann -(cherry picked from commit c6e484707f28b3e115e64122a0570f6b3c585489) ---- - ui/spice-display.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/ui/spice-display.c b/ui/spice-display.c -index 1644185..5935564 100644 ---- a/ui/spice-display.c -+++ b/ui/spice-display.c -@@ -199,7 +199,7 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd) - static const int blksize = 32; - int blocks = (surface_width(ssd->ds) + blksize - 1) / blksize; - int dirty_top[blocks]; -- int y, yoff, x, xoff, blk, bw; -+ int y, yoff1, yoff2, x, xoff, blk, bw; - int bpp = surface_bytes_per_pixel(ssd->ds); - uint8_t *guest, *mirror; - -@@ -214,13 +214,14 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd) - guest = surface_data(ssd->ds); - mirror = (void *)pixman_image_get_data(ssd->mirror); - for (y = ssd->dirty.top; y < ssd->dirty.bottom; y++) { -- yoff = y * surface_stride(ssd->ds); -+ yoff1 = y * surface_stride(ssd->ds); -+ yoff2 = y * pixman_image_get_stride(ssd->mirror); - for (x = ssd->dirty.left; x < ssd->dirty.right; x += blksize) { - xoff = x * bpp; - blk = x / blksize; - bw = MIN(blksize, ssd->dirty.right - x); -- if (memcmp(guest + yoff + xoff, -- mirror + yoff + xoff, -+ if (memcmp(guest + yoff1 + xoff, -+ mirror + yoff2 + xoff, - bw * bpp) == 0) { - if (dirty_top[blk] != -1) { - QXLRect update = { diff --git a/0005-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch b/0005-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch deleted file mode 100644 index ff56396..0000000 --- a/0005-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Kevin Wolf -Date: Tue, 9 Jun 2015 10:45:16 +0200 -Subject: [PATCH] raw-posix: Fix .bdrv_co_get_block_status() for unaligned - image size - -Image files with an unaligned image size have a final hole that starts -at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is -returned when checking the status of this sector. In qemu-img, this -triggers an assertion failure. - -In order to fix this, one type for the sector that contains EOF must be -found. Treating a hole as data is safe, so this patch rounds the -calculated number of data sectors up, so that a partial sector at EOF is -treated as a full data sector. - -This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394 - -Signed-off-by: Kevin Wolf -Reviewed-by: Eric Blake -Tested-by: Cole Robinson -(cherry picked from commit b8684454e152ca2e100f4b59d80de2be27186206) ---- - block/raw-posix.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/block/raw-posix.c b/block/raw-posix.c -index 24d8582..88f0462 100644 ---- a/block/raw-posix.c -+++ b/block/raw-posix.c -@@ -1846,8 +1846,9 @@ static int64_t coroutine_fn raw_co_get_block_status(BlockDriverState *bs, - *pnum = nb_sectors; - ret = BDRV_BLOCK_DATA; - } else if (data == start) { -- /* On a data extent, compute sectors to the end of the extent. */ -- *pnum = MIN(nb_sectors, (hole - start) / BDRV_SECTOR_SIZE); -+ /* On a data extent, compute sectors to the end of the extent, -+ * possibly including a partial sector at EOF. */ -+ *pnum = MIN(nb_sectors, DIV_ROUND_UP(hole - start, BDRV_SECTOR_SIZE)); - ret = BDRV_BLOCK_DATA; - } else { - /* On a hole, compute sectors to the beginning of the next extent. */ diff --git a/0005-virtio-serial-fix-ANY_LAYOUT.patch b/0005-virtio-serial-fix-ANY_LAYOUT.patch new file mode 100644 index 0000000..9151550 --- /dev/null +++ b/0005-virtio-serial-fix-ANY_LAYOUT.patch @@ -0,0 +1,29 @@ +From: "Michael S. Tsirkin" +Date: Thu, 23 Jul 2015 17:52:02 +0300 +Subject: [PATCH] virtio-serial: fix ANY_LAYOUT + +Don't assume a specific layout for control messages. +Required by virtio 1. + +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Amit Shah +Reviewed-by: Jason Wang +(cherry picked from commit 7882080388be5088e72c425b02223c02e6cb4295) +--- + hw/char/virtio-serial-bus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c +index e336bdb..2565521 100644 +--- a/hw/char/virtio-serial-bus.c ++++ b/hw/char/virtio-serial-bus.c +@@ -194,7 +194,8 @@ static size_t send_control_msg(VirtIOSerial *vser, void *buf, size_t len) + return 0; + } + +- memcpy(elem.in_sg[0].iov_base, buf, len); ++ /* TODO: detect a buffer that's too short, set NEEDS_RESET */ ++ iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len); + + virtqueue_push(vq, &elem, len); + virtio_notify(VIRTIO_DEVICE(vser), vq); diff --git a/0006-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch b/0006-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch deleted file mode 100644 index 7bef815..0000000 --- a/0006-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Petr Matousek -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -[Fixed 3-space indentation to QEMU's 4-space coding standard. ---Stefan] - -Signed-off-by: Petr Matousek -Reported-by: Matt Tait -Reviewed-by: Peter Maydell -Reviewed-by: Stefan Hajnoczi -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 9f7c594c006289ad41169b854d70f5da6e400a2a) ---- - hw/net/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index bdfd38f..68b9981 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; diff --git a/0007-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch b/0007-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch deleted file mode 100644 index f15d127..0000000 --- a/0007-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Petr Matousek -Date: Wed, 17 Jun 2015 12:46:11 +0200 -Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read() - -Due converting PIO to the new memory read/write api we no longer provide -separate I/O region lenghts for read and write operations. As a result, -reading from PIT Mode/Command register will end with accessing -pit->channels with invalid index. - -Fix this by ignoring read from the Mode/Command register. - -This is CVE-2015-3214. - -Reported-by: Matt Tait -Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052 -Cc: qemu-stable@nongnu.org -Signed-off-by: Petr Matousek -Signed-off-by: Paolo Bonzini -(cherry picked from commit d4862a87e31a51de9eb260f25c9e99a75efe3235) ---- - hw/timer/i8254.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c -index 3450c98..9b65a33 100644 ---- a/hw/timer/i8254.c -+++ b/hw/timer/i8254.c -@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr, - PITChannelState *s; - - addr &= 3; -+ -+ if (addr == 3) { -+ /* Mode/Command register is write only, read is ignored */ -+ return 0; -+ } -+ - s = &pit->channels[addr]; - if (s->status_latched) { - s->status_latched = 0; diff --git a/0008-scsi-fix-buffer-overflow-in-scsi_req_parse_cdb-CVE-2.patch b/0008-scsi-fix-buffer-overflow-in-scsi_req_parse_cdb-CVE-2.patch deleted file mode 100644 index e2b1d9d..0000000 --- a/0008-scsi-fix-buffer-overflow-in-scsi_req_parse_cdb-CVE-2.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 21 Jul 2015 08:59:39 +0200 -Subject: [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb - (CVE-2015-5158) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is a guest-triggerable buffer overflow present in QEMU 2.2.0 -and newer. scsi_cdb_length returns -1 as an error value, but the -caller does not check it. - -Luckily, the massive overflow means that QEMU will just SIGSEGV, -making the impact much smaller. - -Reported-by: Zhu Donghai (朱东海) -Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 -Reviewed-by: Fam Zheng -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit c170aad8b057223b1139d72e5ce7acceafab4fa9) ---- - hw/scsi/scsi-bus.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index bd2c0e4..0c506db 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { - int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) - { - int rc; -+ int len; - - cmd->lba = -1; -- cmd->len = scsi_cdb_length(buf); -+ len = scsi_cdb_length(buf); -+ if (len < 0) { -+ return -1; -+ } - -+ cmd->len = len; - switch (dev->type) { - case TYPE_TAPE: - rc = scsi_req_stream_xfer(cmd, dev, buf); diff --git a/0009-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch b/0009-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch deleted file mode 100644 index 1ab48b8..0000000 --- a/0009-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Kevin Wolf -Date: Sun, 26 Jul 2015 23:42:53 -0400 -Subject: [PATCH] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf -Reviewed-by: John Snow -(cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6) ---- - hw/ide/core.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index a895fd8..17153f5 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; diff --git a/0010-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch b/0010-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch deleted file mode 100644 index 92e32ac..0000000 --- a/0010-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Kevin Wolf -Date: Sun, 26 Jul 2015 23:42:53 -0400 -Subject: [PATCH] ide/atapi: Fix START STOP UNIT command completion - -The command must be completed on all code paths. START STOP UNIT with -pwrcnd set should succeed without doing anything. - -Signed-off-by: Kevin Wolf -Reviewed-by: John Snow -(cherry picked from commit 03441c3a4a42beb25460dd11592539030337d0f8) ---- - hw/ide/atapi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c -index 950e311..79dd167 100644 ---- a/hw/ide/atapi.c -+++ b/hw/ide/atapi.c -@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) - - if (pwrcnd) { - /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); - return; - } - diff --git a/0011-ide-Clear-DRQ-after-handling-all-expected-accesses.patch b/0011-ide-Clear-DRQ-after-handling-all-expected-accesses.patch deleted file mode 100644 index 0cc7739..0000000 --- a/0011-ide-Clear-DRQ-after-handling-all-expected-accesses.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: Kevin Wolf -Date: Sun, 26 Jul 2015 23:42:53 -0400 -Subject: [PATCH] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf -Reviewed-by: John Snow -(cherry picked from commit cb72cba83021fa42719e73a5249c12096a4d1cfc) ---- - hw/ide/core.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 17153f5..822519b 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - diff --git a/0012-Fix-release_drive-on-unplugged-devices-pci_piix3_xen.patch b/0012-Fix-release_drive-on-unplugged-devices-pci_piix3_xen.patch deleted file mode 100644 index 3bb0158..0000000 --- a/0012-Fix-release_drive-on-unplugged-devices-pci_piix3_xen.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Stefano Stabellini -Date: Mon, 3 Aug 2015 13:56:57 +0000 -Subject: [PATCH] Fix release_drive on unplugged devices - (pci_piix3_xen_ide_unplug) - -pci_piix3_xen_ide_unplug should completely unhook the unplugged -IDEDevice from the corresponding BlockBackend, otherwise the next call -to release_drive will try to detach the drive again. - -Suggested-by: Kevin Wolf -Signed-off-by: Stefano Stabellini -(cherry picked from commit 6cd387833d05e8ad31829d97e474dc420625aed9) ---- - hw/ide/piix.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/hw/ide/piix.c b/hw/ide/piix.c -index adb6649..5a26c86 100644 ---- a/hw/ide/piix.c -+++ b/hw/ide/piix.c -@@ -169,6 +169,7 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev) - PCIIDEState *pci_ide; - DriveInfo *di; - int i; -+ IDEDevice *idedev; - - pci_ide = PCI_IDE(dev); - -@@ -181,6 +182,12 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev) - blk_detach_dev(blk, ds); - } - pci_ide->bus[di->bus].ifs[di->unit].blk = NULL; -+ if (!(i % 2)) { -+ idedev = pci_ide->bus[di->bus].master; -+ } else { -+ idedev = pci_ide->bus[di->bus].slave; -+ } -+ idedev->conf.blk = NULL; - blk_unref(blk); - } - } diff --git a/0013-virtio-serial-fix-ANY_LAYOUT.patch b/0013-virtio-serial-fix-ANY_LAYOUT.patch deleted file mode 100644 index 9151550..0000000 --- a/0013-virtio-serial-fix-ANY_LAYOUT.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Thu, 23 Jul 2015 17:52:02 +0300 -Subject: [PATCH] virtio-serial: fix ANY_LAYOUT - -Don't assume a specific layout for control messages. -Required by virtio 1. - -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Amit Shah -Reviewed-by: Jason Wang -(cherry picked from commit 7882080388be5088e72c425b02223c02e6cb4295) ---- - hw/char/virtio-serial-bus.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c -index e336bdb..2565521 100644 ---- a/hw/char/virtio-serial-bus.c -+++ b/hw/char/virtio-serial-bus.c -@@ -194,7 +194,8 @@ static size_t send_control_msg(VirtIOSerial *vser, void *buf, size_t len) - return 0; - } - -- memcpy(elem.in_sg[0].iov_base, buf, len); -+ /* TODO: detect a buffer that's too short, set NEEDS_RESET */ -+ iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len); - - virtqueue_push(vq, &elem, len); - virtio_notify(VIRTIO_DEVICE(vser), vq); diff --git a/0014-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20.patch b/0014-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20.patch deleted file mode 100644 index 1222736..0000000 --- a/0014-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20.patch +++ /dev/null @@ -1,85 +0,0 @@ -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 17:13:32 +0100 -Subject: [PATCH] rtl8139: avoid nested ifs in IP header parsing - (CVE-2015-5165) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Transmit offload needs to parse packet headers. If header fields have -unexpected values the offload processing is skipped. - -The code currently uses nested ifs because there is relatively little -input validation. The next patches will add missing input validation -and a goto label is more appropriate to avoid deep if statement nesting. - -Reported-by: 朱东海(启路) -Reviewed-by: Jason Wang -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 39b8e7dcaf04cbdb926b478f825b160d852752b5) ---- - hw/net/rtl8139.c | 41 ++++++++++++++++++++++------------------- - 1 file changed, 22 insertions(+), 19 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index f868108..8306b26 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2160,28 +2160,30 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - size_t eth_payload_len = 0; - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); -- if (proto == ETH_P_IP) -+ if (proto != ETH_P_IP) - { -- DPRINTF("+++ C+ mode has IP packet\n"); -- -- /* not aligned */ -- eth_payload_data = saved_buffer + ETH_HLEN; -- eth_payload_len = saved_size - ETH_HLEN; -- -- ip = (ip_header*)eth_payload_data; -- -- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -- DPRINTF("+++ C+ mode packet has bad IP version %d " -- "expected %d\n", IP_HEADER_VERSION(ip), -- IP_HEADER_VERSION_4); -- ip = NULL; -- } else { -- hlen = IP_HEADER_LENGTH(ip); -- ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -- } -+ goto skip_offload; - } - -+ DPRINTF("+++ C+ mode has IP packet\n"); -+ -+ /* not aligned */ -+ eth_payload_data = saved_buffer + ETH_HLEN; -+ eth_payload_len = saved_size - ETH_HLEN; -+ -+ ip = (ip_header*)eth_payload_data; -+ -+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -+ DPRINTF("+++ C+ mode packet has bad IP version %d " -+ "expected %d\n", IP_HEADER_VERSION(ip), -+ IP_HEADER_VERSION_4); -+ goto skip_offload; -+ } -+ -+ hlen = IP_HEADER_LENGTH(ip); -+ ip_protocol = ip->ip_p; -+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ - if (ip) - { - if (txdw0 & CP_TX_IPCS) -@@ -2377,6 +2379,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - } - -+skip_offload: - /* update tally counter */ - ++s->tally_counters.TxOk; - diff --git a/0015-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015-.patch b/0015-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015-.patch deleted file mode 100644 index 4eebd43..0000000 --- a/0015-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015-.patch +++ /dev/null @@ -1,376 +0,0 @@ -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 17:17:28 +0100 -Subject: [PATCH] rtl8139: drop tautologous if (ip) {...} statement - (CVE-2015-5165) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The previous patch stopped using the ip pointer as an indicator that the -IP header is present. When we reach the if (ip) {...} statement we know -ip is always non-NULL. - -Remove the if statement to reduce nesting. - -Reported-by: 朱东海(启路) -Reviewed-by: Jason Wang -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit d6812d60e7932de3cd0f602c0ee63dd3d09f1847) ---- - hw/net/rtl8139.c | 305 +++++++++++++++++++++++++++---------------------------- - 1 file changed, 151 insertions(+), 154 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 8306b26..c044dee 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2184,198 +2184,195 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -- if (ip) -+ if (txdw0 & CP_TX_IPCS) - { -- if (txdw0 & CP_TX_IPCS) -- { -- DPRINTF("+++ C+ mode need IP checksum\n"); -+ DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hleneth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ if (hleneth_payload_len) {/* min header length */ -+ /* bad packet header len */ -+ /* or packet too short */ - } -- -- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ else - { -- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); -+ } -+ } - -- DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -- "frame data %d specified MSS=%d\n", ETH_MTU, -- ip_data_len, saved_size - ETH_HLEN, large_send_mss); -+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ { -+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - -- int tcp_send_offset = 0; -- int send_count = 0; -+ DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -+ "frame data %d specified MSS=%d\n", ETH_MTU, -+ ip_data_len, saved_size - ETH_HLEN, large_send_mss); - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -+ int tcp_send_offset = 0; -+ int send_count = 0; - -- /* save IP header template; data area is used in tcp checksum calculation */ -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; - -- /* a placeholder for checksum calculation routine in tcp case */ -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ /* save IP header template; data area is used in tcp checksum calculation */ -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- /* pointer to TCP header */ -- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); -+ /* a placeholder for checksum calculation routine in tcp case */ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); -+ /* pointer to TCP header */ -+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - -- /* ETH_MTU = ip header len + tcp header len + payload */ -- int tcp_data_len = ip_data_len - tcp_hlen; -- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; -+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -- DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -- "data len %d TCP chunk size %d\n", ip_data_len, -- tcp_hlen, tcp_data_len, tcp_chunk_size); -+ /* ETH_MTU = ip header len + tcp header len + payload */ -+ int tcp_data_len = ip_data_len - tcp_hlen; -+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; - -- /* note the cycle below overwrites IP header data, -- but restores it from saved_ip_header before sending packet */ -+ DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -+ "data len %d TCP chunk size %d\n", ip_data_len, -+ tcp_hlen, tcp_data_len, tcp_chunk_size); - -- int is_last_frame = 0; -+ /* note the cycle below overwrites IP header data, -+ but restores it from saved_ip_header before sending packet */ - -- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) -- { -- uint16_t chunk_size = tcp_chunk_size; -- -- /* check if this is the last frame */ -- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -- { -- is_last_frame = 1; -- chunk_size = tcp_data_len - tcp_send_offset; -- } -- -- DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -- be32_to_cpu(p_tcp_hdr->th_seq)); -- -- /* add 4 TCP pseudoheader fields */ -- /* copy IP source and destination fields */ -- memcpy(data_to_checksum, saved_ip_header + 12, 8); -- -- DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -- "packet with %d bytes data\n", tcp_hlen + -- chunk_size); -- -- if (tcp_send_offset) -- { -- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -- } -- -- /* keep PUSH and FIN flags only for the last frame */ -- if (!is_last_frame) -- { -- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -- } -- -- /* recalculate TCP checksum */ -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); -- -- p_tcp_hdr->th_sum = 0; -- -- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -- DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -- tcp_checksum); -- -- p_tcp_hdr->th_sum = tcp_checksum; -- -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -- -- /* set IP data length and recalculate IP checksum */ -- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); -- -- /* increment IP id for subsequent frames */ -- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); -- -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(eth_payload_data, hlen); -- DPRINTF("+++ C+ mode TSO IP header len=%d " -- "checksum=%04x\n", hlen, ip->ip_sum); -- -- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -- DPRINTF("+++ C+ mode TSO transferring packet size " -- "%d\n", tso_send_size); -- rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -- 0, (uint8_t *) dot1q_buffer); -- -- /* add transferred count to TCP sequence number */ -- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -- ++send_count; -- } -+ int is_last_frame = 0; - -- /* Stop sending this frame */ -- saved_size = 0; -- } -- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) - { -- DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); -+ uint16_t chunk_size = tcp_chunk_size; - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* check if this is the last frame */ -+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -+ { -+ is_last_frame = 1; -+ chunk_size = tcp_data_len - tcp_send_offset; -+ } - -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -+ be32_to_cpu(p_tcp_hdr->th_seq)); - - /* add 4 TCP pseudoheader fields */ - /* copy IP source and destination fields */ - memcpy(data_to_checksum, saved_ip_header + 12, 8); - -- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -+ "packet with %d bytes data\n", tcp_hlen + -+ chunk_size); -+ -+ if (tcp_send_offset) - { -- DPRINTF("+++ C+ mode calculating TCP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -+ } - -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* keep PUSH and FIN flags only for the last frame */ -+ if (!is_last_frame) -+ { -+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -+ } - -- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ /* recalculate TCP checksum */ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); - -- p_tcp_hdr->th_sum = 0; -+ p_tcp_hdr->th_sum = 0; - -- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode TCP checksum %04x\n", -- tcp_checksum); -+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -+ DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -+ tcp_checksum); - -- p_tcp_hdr->th_sum = tcp_checksum; -- } -- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -- { -- DPRINTF("+++ C+ mode calculating UDP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ p_tcp_hdr->th_sum = tcp_checksum; - -- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_udpip_hdr->zeros = 0; -- p_udpip_hdr->ip_proto = IP_PROTO_UDP; -- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - -- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ /* set IP data length and recalculate IP checksum */ -+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); - -- p_udp_hdr->uh_sum = 0; -+ /* increment IP id for subsequent frames */ -+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); - -- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode UDP checksum %04x\n", -- udp_checksum); -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(eth_payload_data, hlen); -+ DPRINTF("+++ C+ mode TSO IP header len=%d " -+ "checksum=%04x\n", hlen, ip->ip_sum); - -- p_udp_hdr->uh_sum = udp_checksum; -- } -+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -+ DPRINTF("+++ C+ mode TSO transferring packet size " -+ "%d\n", tso_send_size); -+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -+ 0, (uint8_t *) dot1q_buffer); - -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -+ /* add transferred count to TCP sequence number */ -+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -+ ++send_count; - } -+ -+ /* Stop sending this frame */ -+ saved_size = 0; -+ } -+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ { -+ DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); -+ -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; -+ memcpy(saved_ip_header, eth_payload_data, hlen); -+ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ -+ /* add 4 TCP pseudoheader fields */ -+ /* copy IP source and destination fields */ -+ memcpy(data_to_checksum, saved_ip_header + 12, 8); -+ -+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ { -+ DPRINTF("+++ C+ mode calculating TCP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ -+ p_tcp_hdr->th_sum = 0; -+ -+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode TCP checksum %04x\n", -+ tcp_checksum); -+ -+ p_tcp_hdr->th_sum = tcp_checksum; -+ } -+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -+ { -+ DPRINTF("+++ C+ mode calculating UDP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_udpip_hdr->zeros = 0; -+ p_udpip_hdr->ip_proto = IP_PROTO_UDP; -+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ -+ p_udp_hdr->uh_sum = 0; -+ -+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode UDP checksum %04x\n", -+ udp_checksum); -+ -+ p_udp_hdr->uh_sum = udp_checksum; -+ } -+ -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - } - } - diff --git a/0016-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE.patch b/0016-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE.patch deleted file mode 100644 index 2fef943..0000000 --- a/0016-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 14:30:37 +0100 -Subject: [PATCH] rtl8139: skip offload on short Ethernet/IP header - (CVE-2015-5165) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Transmit offload features access Ethernet and IP headers the packet. If -the packet is too short we must not attempt to access header fields: - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); - ... - eth_payload_data = saved_buffer + ETH_HLEN; - ... - ip = (ip_header*)eth_payload_data; - if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { - -Reported-by: 朱东海(启路) -Reviewed-by: Jason Wang -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit e1c120a9c54872f8a538ff9129d928de4e865cbd) ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index c044dee..4e22162 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2150,6 +2150,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - { - DPRINTF("+++ C+ mode offloaded task checksum\n"); - -+ /* Large enough for Ethernet and IP headers? */ -+ if (saved_size < ETH_HLEN + sizeof(ip_header)) { -+ goto skip_offload; -+ } -+ - /* ip packet header */ - ip_header *ip = NULL; - int hlen = 0; diff --git a/0017-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.patch b/0017-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.patch deleted file mode 100644 index 9c4bba6..0000000 --- a/0017-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 17:32:32 +0100 -Subject: [PATCH] rtl8139: check IP Header Length field (CVE-2015-5165) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The IP Header Length field was only checked in the IP checksum case, but -is used in other cases too. - -Reported-by: 朱东海(启路) -Reviewed-by: Jason Wang -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 03247d43c577dfea8181cd40177ad5ba77c8db76) ---- - hw/net/rtl8139.c | 19 ++++++++----------- - 1 file changed, 8 insertions(+), 11 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 4e22162..2d97866 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2186,6 +2186,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - - hlen = IP_HEADER_LENGTH(ip); -+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) { -+ goto skip_offload; -+ } -+ - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -@@ -2193,17 +2197,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - { - DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hleneth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); - } - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) diff --git a/0018-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch b/0018-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch deleted file mode 100644 index 1f5b991..0000000 --- a/0018-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 17:34:40 +0100 -Subject: [PATCH] rtl8139: check IP Total Length field (CVE-2015-5165) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The IP Total Length field includes the IP header and data. Make sure it -is valid and does not exceed the Ethernet payload size. - -Reported-by: 朱东海(启路) -Reviewed-by: Jason Wang -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit c6296ea88df040054ccd781f3945fe103f8c7c17) ---- - hw/net/rtl8139.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 2d97866..c88bf9b 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2191,7 +2191,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - - ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ -+ ip_data_len = be16_to_cpu(ip->ip_len); -+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) { -+ goto skip_offload; -+ } -+ ip_data_len -= hlen; - - if (txdw0 & CP_TX_IPCS) - { diff --git a/0019-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch b/0019-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch deleted file mode 100644 index d2cd57d..0000000 --- a/0019-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 17:36:15 +0100 -Subject: [PATCH] rtl8139: skip offload on short TCP header (CVE-2015-5165) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -TCP Large Segment Offload accesses the TCP header in the packet. If the -packet is too short we must not attempt to access header fields: - - tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -Reported-by: 朱东海(启路) -Reviewed-by: Jason Wang -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 4240be45632db7831129f124bcf53c1223825b0f) ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index c88bf9b..efde7b4 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2210,6 +2210,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) - { -+ /* Large enough for the TCP header? */ -+ if (ip_data_len < sizeof(tcp_header)) { -+ goto skip_offload; -+ } -+ - int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - - DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " diff --git a/0020-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch b/0020-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch deleted file mode 100644 index 1a49794..0000000 --- a/0020-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 17:39:29 +0100 -Subject: [PATCH] rtl8139: check TCP Data Offset field (CVE-2015-5165) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The TCP Data Offset field contains the length of the header. Make sure -it is valid and does not exceed the IP data length. - -Reported-by: 朱东海(启路) -Reviewed-by: Jason Wang -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 8357946b15f0a31f73dd691b7da95f29318ed310) ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index efde7b4..d25e8c9 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2239,6 +2239,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -+ /* Invalid TCP data offset? */ -+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) { -+ goto skip_offload; -+ } -+ - /* ETH_MTU = ip header len + tcp header len + payload */ - int tcp_data_len = ip_data_len - tcp_hlen; - int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; diff --git a/qemu.spec b/qemu.spec index 240a50d..bad8a5c 100644 --- a/qemu.spec +++ b/qemu.spec @@ -42,8 +42,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.3.0 -Release: 7%{?dist} +Version: 2.3.1 +Release: 1%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -71,44 +71,19 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access -# (bz #1221152) -Patch0001: 0001-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch # CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz # #1222894) -Patch0002: 0002-slirp-use-less-predictable-directory-name-in-tmp-for.patch +Patch0001: 0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch # Fix: qemu-img: error while compressing sector : Input/output # error (bz #1214855) -Patch0003: 0003-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch -# Fix crash in qemu_spice_create_display (bz #1163047) -Patch0004: 0004-spice-display-fix-segfault-in-qemu_spice_create_upda.patch +Patch0002: 0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch # Fix qemu-img map crash for unaligned image (bz #1229394) -Patch0005: 0005-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch +Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch # CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz # #1230536) -Patch0006: 0006-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch -# CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) -Patch0007: 0007-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch -# CVE-2015-5158: scsi stack buffer overflow (bz #1246025) -Patch0008: 0008-scsi-fix-buffer-overflow-in-scsi_req_parse_cdb-CVE-2.patch -# CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory -# access (bz #1247141) -Patch0009: 0009-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch -Patch0010: 0010-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch -Patch0011: 0011-ide-Clear-DRQ-after-handling-all-expected-accesses.patch -# CVE-2015-5166: BlockBackend object use after free issue (bz #1249758) -Patch0012: 0012-Fix-release_drive-on-unplugged-devices-pci_piix3_xen.patch +Patch0004: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch # CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) -Patch0013: 0013-virtio-serial-fix-ANY_LAYOUT.patch -# CVE-2015-5165: rtl8139 uninitialized heap memory information leakage -# to guest (bz #1249755) -Patch0014: 0014-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20.patch -Patch0015: 0015-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015-.patch -Patch0016: 0016-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE.patch -Patch0017: 0017-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.patch -Patch0018: 0018-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch -Patch0019: 0019-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch -Patch0020: 0020-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch +Patch0005: 0005-virtio-serial-fix-ANY_LAYOUT.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1211,6 +1186,9 @@ getent passwd qemu >/dev/null || \ %changelog +* Tue Aug 11 2015 Cole Robinson - 2:2.3.1-1 +- Rebased to version 2.3.1 + * Tue Aug 11 2015 Cole Robinson - 2:2.3.0-7 - Fix crash in qemu_spice_create_display (bz #1163047) - Fix qemu-img map crash for unaligned image (bz #1229394) diff --git a/sources b/sources index acbd37d..1ae71ac 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2fab3ea4460de9b57192e5b8b311f221 qemu-2.3.0.tar.bz2 +fb6bbdb32e6af5c2d2980a32ac4ea051 qemu-2.3.1.tar.bz2