From 4623a49793be870653bd0f010c86dd2298917b04 Mon Sep 17 00:00:00 2001 From: Michael Young Date: Oct 10 2015 21:15:35 +0000 Subject: patch CVE-2015-7295 for qemu-xen-traditional as well --- diff --git a/qemu.trad.CVE-2015-7295.patch b/qemu.trad.CVE-2015-7295.patch new file mode 100644 index 0000000..1c74270 --- /dev/null +++ b/qemu.trad.CVE-2015-7295.patch @@ -0,0 +1,63 @@ +--- xen-4.5.1/tools/qemu-xen-traditional/hw/virtio.c.orig 2015-06-09 16:32:24.000000000 +0100 ++++ xen-4.5.1/tools/qemu-xen-traditional/hw/virtio.c 2015-10-10 16:57:01.806370020 +0100 +@@ -268,8 +268,8 @@ + return vring_avail_idx(vq) == vq->last_avail_idx; + } + +-void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, +- unsigned int len, unsigned int idx) ++static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len) + { + unsigned int offset; + int i; +@@ -302,7 +302,19 @@ + + offset += size; + } ++} + ++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len) ++{ ++ vq->last_avail_idx--; ++ virtqueue_unmap_sg(vq, elem, len); ++} ++ ++void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len, unsigned int idx) ++{ ++ virtqueue_unmap_sg(vq, elem, len); + idx = (idx + vring_used_idx(vq)) % vq->vring.num; + + /* Get a pointer to the next entry in the used ring. */ +--- xen-4.5.1/tools/qemu-xen-traditional/hw/virtio.h.orig 2015-06-09 16:32:24.000000000 +0100 ++++ xen-4.5.1/tools/qemu-xen-traditional/hw/virtio.h 2015-10-10 16:57:53.146216039 +0100 +@@ -105,6 +105,8 @@ + void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len); + void virtqueue_flush(VirtQueue *vq, unsigned int count); ++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len); + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx); + +--- xen-4.5.1/tools/qemu-xen-traditional/hw/virtio-net.c.orig 2015-10-10 16:10:05.071786348 +0100 ++++ xen-4.5.1/tools/qemu-xen-traditional/hw/virtio-net.c 2015-10-10 19:05:34.510029916 +0100 +@@ -424,11 +424,15 @@ + len = iov_fill(sg, elem.in_num, + buf + offset, size - offset); + total += len; ++ offset += len; ++ if (!n->mergeable_rx_bufs && offset < size) { ++ virtqueue_discard(n->rx_vq, &elem, total); ++ return; ++ } + + /* signal other side */ + virtqueue_fill(n->rx_vq, &elem, total, i++); + +- offset += len; + } + + if (mhdr) diff --git a/xen.spec b/xen.spec index 7f67c39..152b100 100644 --- a/xen.spec +++ b/xen.spec @@ -51,7 +51,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.5.1 -Release: 12%{?dist} +Release: 13%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -118,6 +118,7 @@ Patch49: qemu.git-d9033e1d3aa666c5071580617a57bd853c5d794a.patch Patch50: qemu.git-ce317461573bac12b10d67699b4ddf1f97cf066c.patch Patch51: qemu.git-29b9f5efd78ae0f9cc02dd169b6e80d2c404bade.patch Patch52: qemu.git-0cf33fb6b49a19de32859e2cdc6021334f448fb3.patch +Patch53: qemu.trad.CVE-2015-7295.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel @@ -337,6 +338,7 @@ manage Xen virtual machines. %patch50 -p1 %patch51 -p1 %patch52 -p1 +%patch53 -p1 # stubdom sources cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom @@ -860,6 +862,9 @@ rm -rf %{buildroot} %endif %changelog +* Sat Oct 10 2015 Michael Young - 4.5.1-13 +- patch CVE-2015-7295 for qemu-xen-traditional as well + * Thu Oct 08 2015 Michael Young - 4.5.1-12 - Qemu: net: virtio-net possible remote DoS [CVE-2015-7295] (#1264392)