#36 Backport fix for CVE-2015-7504
Merged 11 months ago by carlwgeorge. Opened 11 months ago by carlwgeorge.
rpms/ carlwgeorge/qemu epel7-CVE-2015-7504  into  epel7

@@ -0,0 +1,50 @@ 

+ From 60ae974a9c41af297d66232999049b3d297681de Mon Sep 17 00:00:00 2001

+ From: Prasad J Pandit <pjp@fedoraproject.org>

+ Date: Fri, 20 Nov 2015 11:50:31 +0530

+ Subject: [PATCH] net: pcnet: add check to validate receive data

+  size(CVE-2015-7504)

+ 

+ In loopback mode, pcnet_receive routine appends CRC code to the

+ receive buffer. If the data size given is same as the buffer size,

+ the appended CRC code overwrites 4 bytes after s->buffer. Added a

+ check to avoid that.

+ 

+ Reported by: Qinghao Tang <luodalongde@gmail.com>

+ Cc: qemu-stable@nongnu.org

+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>

+ Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

+ Signed-off-by: Jason Wang <jasowang@redhat.com>

+ (cherry picked from commit 837f21aacf5a714c23ddaadbbc5212f9b661e3f7)

+ ---

+  hw/net/pcnet.c | 8 +++++---

+  1 file changed, 5 insertions(+), 3 deletions(-)

+ 

+ diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c

+ index a577dafb0e..34b449188c 100644

+ --- a/hw/net/pcnet.c

+ +++ b/hw/net/pcnet.c

+ @@ -1107,7 +1107,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)

+                  uint32_t fcs = ~0;

+                  uint8_t *p = src;

+  

+ -                while (p != &src[size-4])

+ +                while (p != &src[size])

+                      CRC(fcs, *p++);

+                  crc_err = (*(uint32_t *)p != htonl(fcs));

+              }

+ @@ -1256,8 +1256,10 @@ static void pcnet_transmit(PCNetState *s)

+          bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);

+  

+          /* if multi-tmd packet outsizes s->buffer then skip it silently.

+ -           Note: this is not what real hw does */

+ -        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {

+ +         * Note: this is not what real hw does.

+ +         * Last four bytes of s->buffer are used to store CRC FCS code.

+ +         */

+ +        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {

+              s->xmit_pos = -1;

+              goto txdone;

+          }

+ -- 

+ 2.40.1

+ 

file modified
+16 -4
@@ -121,7 +121,7 @@ 

  %global system_microblaze   system-microblaze

  %global system_mips   system-mips

  %global system_or32   system-or32

- %global system_ppc    system-ppc

+ #global system_ppc    system-ppc

  %global system_s390x  system-s390x

  %global system_sh4    system-sh4

  #global system_sparc  system-sparc
@@ -155,7 +155,7 @@ 

  Summary: QEMU is a FAST! processor emulator

  Name: qemu

  Version: 2.0.0

- Release: 3%{?dist}

+ Release: 5%{?dist}

  Epoch: 2

  License: GPLv2+ and LGPLv2+ and BSD

  Group: Development/Tools
@@ -166,7 +166,7 @@ 

  %endif

  # XXX: The rom packages need to be updated to cross compile like fedora does,

  # otherwise qemu-system-x86 deps are broken on ppc64

- ExcludeArch: ppc64

+ ExcludeArch: %{power64}

  

  # OOM killer breaks builds with parallel make on s390(x)

  %ifarch s390 s390x
@@ -214,6 +214,9 @@ 

  Patch0005: 0003-pcnet-fix-Negative-array-index-read.patch

  Patch0006: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch

  

+ # CVE-2015-7504: pcnet: add check to validate receive data size (bz #1286547)

+ Patch0007: 0001-net-pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch

+ 

  # EPEL specific patches

  Patch6661: 0001-pxe-always-use-non-efi-roms.patch

  
@@ -749,6 +752,9 @@ 

  %patch0005 -p1

  %patch0006 -p1

  

+ # CVE-2015-7504: pcnet: add check to validate receive data size (bz #1286547)

+ %patch0007 -p1

+ 

  # EPEL patches

  %patch6661 -p1

  
@@ -774,7 +780,7 @@ 

      microblaze-linux-user microblazeel-linux-user mips-linux-user \

      mipsel-linux-user mips64-linux-user mips64el-linux-user \

      mipsn32-linux-user mipsn32el-linux-user \

-     or32-linux-user ppc-linux-user ppc64-linux-user ppc64le-linux-user \

+     or32-linux-user ppc-linux-user ppc64-linux-user \

      ppc64abi32-linux-user s390x-linux-user sh4-linux-user sh4eb-linux-user \

      sparc-linux-user sparc64-linux-user sparc32plus-linux-user \

      unicore32-linux-user"
@@ -1533,6 +1539,12 @@ 

  %endif

  

  %changelog

+ * Tue May 16 2023 Carl George <carl@george.computer> - 2:2.0.0-5

+ - CVE-2015-7504: pcnet: add check to validate receive data size (bz #1286547)

+ 

+ * Tue May 16 2023 Carl George <carl@george.computer> - 2:2.0.0-4

+ - Disable ppc64le-linux-user and qemu-system-ppc package

+ 

  * Fri Feb 08 2019 Murilo Opsfelder Araujo <muriloo@linux.ibm.com> - 2:2.0.0-3

  - Enable ppc64le-linux-user

  

The last changes made in the epel7 were to enable ppc64le-linux-user and the qemu-system-ppc package. Those changes make the build fail and were never released. This PR reverts those in order to complete a build that includes a backported fix from upstream for CVE-2015-7504.

Resolves: rhbz#1286547

There's a huge amount of unrelated churn in this patch. It's hard to tell what's going on.

Is there some reason you're trying to fix an 8 year old bug in a 10 year old branch?

Is there some reason you're trying to fix an 8 year old bug in a 10 year old branch?

And even if this CVE is fixed, it is not going to make the EPEL7 qemu secure, because there have easily been another 50 CVEs issued against QEMU since then that will remain unfixed.

There's a huge amount of unrelated churn in this patch. It's hard to tell what's going on.

If you take a look at the individual commits it should be more clear. The commit titled "Disable ppc64le-linux-user and qemu-system-ppc package" reverts changes to the spec file that were never shipped that prevent the package from building, as I described in my first comment here. The second commit actually backports the upstream fix for CVE-2015-7504. The additional "churn" in that commit is metadata in patch files. To ensure the patch series applies correctly, I applied the existing patches to a git checkout of the upstream v2.0.0 tag, cherry-picked the fix for CVE-2015-7504, then regenerated the patch series with git format-patch. This is a standard packaging practice, but if it's a blocker to this being merged then I can rework this PR to not touch the existing patch files.

Is there some reason you're trying to fix an 8 year old bug in a 10 year old branch?

Because it's a CVE that is rated "HIGH" in the NVD.

https://nvd.nist.gov/vuln/detail/CVE-2015-7504

I found it while looking through open EPEL 7 CVE bugs.

https://tdawson.fedorapeople.org/epel/willit/epel7/status-bugz-cve.html

And even if this CVE is fixed, it is not going to make the EPEL7 qemu secure, because there have easily been another 50 CVEs issued against QEMU since then that will remain unfixed.

So because there are other CVEs, we shouldn't fix anything? I'm sorry, I don't buy that logic at all. If that's how you truly feel then I encourage you to retire this package from EPEL 7.

https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_security_reasons

2 new commits added

  • CVE-2015-7504: pcnet: add check to validate receive data size (bz #1286547)
  • Disable ppc64le-linux-user and qemu-system-ppc package
11 months ago

The scratch build is failing on ppc64le. Earlier epel7 builds of this package only built for x86_64. Should ExcludeArch: ppc64 in the spec file be updated to ExcludeArch: %{power64}?

So the new version doesn't renumber all the patches which is better. Yes please can you try updating ExcludeArch with that fix, to see if it fixes the scratch build.

3 new commits added

  • CVE-2015-7504: pcnet: add check to validate receive data size (bz #1286547)
  • Fix ExcludeArch to cover all power64 architectures
  • Disable ppc64le-linux-user and qemu-system-ppc package
11 months ago

Pull-Request has been merged by carlwgeorge

11 months ago