diff options
author | Leo Famulari <leo@famulari.name> | 2018-04-18 10:56:50 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2018-04-18 11:38:45 -0400 |
commit | e45f399bf94b07faa7def233ec4da7f4826fc31f (patch) | |
tree | 5d28ef90a262a1736fa599cd876b4aa096dbb5e1 | |
parent | 94b22905ab4ebc8de4c42082df51de96bb824dd7 (diff) | |
download | guix-e45f399bf94b07faa7def233ec4da7f4826fc31f.tar.gz |
gnu: qemu: Fix CVE-2018-7550.
* gnu/packages/patches/qemu-CVE-2018-7550.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/virtualization.scm (qemu)[source]: Use it.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2018-7550.patch | 66 | ||||
-rw-r--r-- | gnu/packages/virtualization.scm | 1 |
3 files changed, 68 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 639dd943d6..056a46cb79 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1061,6 +1061,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-python3-compat.patch \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ + %D%/packages/patches/qemu-CVE-2018-7550.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2018-7550.patch b/gnu/packages/patches/qemu-CVE-2018-7550.patch new file mode 100644 index 0000000000..43f111e206 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2018-7550.patch @@ -0,0 +1,66 @@ +Fix CVE-2018-7550: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7550 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=patch;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 + +From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001 +From: Jack Schwartz <jack.schwartz@oracle.com> +Date: Thu, 21 Dec 2017 09:25:15 -0800 +Subject: [PATCH] multiboot: bss_end_addr can be zero + +The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), +section 3.1.3, allows for bss_end_addr to be zero. + +A zero bss_end_addr signifies there is no .bss section. + +Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> +Signed-off-by: Jack Schwartz <jack.schwartz@oracle.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Kevin Wolf <kwolf@redhat.com> +--- + hw/i386/multiboot.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c +index 46d9c68bf5..bb8d8e4629 100644 +--- a/hw/i386/multiboot.c ++++ b/hw/i386/multiboot.c +@@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg, + mh_entry_addr = ldl_p(header+i+28); + + if (mh_load_end_addr) { +- if (mh_bss_end_addr < mh_load_addr) { +- fprintf(stderr, "invalid mh_bss_end_addr address\n"); +- exit(1); +- } +- mb_kernel_size = mh_bss_end_addr - mh_load_addr; +- + if (mh_load_end_addr < mh_load_addr) { + fprintf(stderr, "invalid mh_load_end_addr address\n"); + exit(1); +@@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg, + fprintf(stderr, "invalid kernel_file_size\n"); + exit(1); + } +- mb_kernel_size = kernel_file_size - mb_kernel_text_offset; +- mb_load_size = mb_kernel_size; ++ mb_load_size = kernel_file_size - mb_kernel_text_offset; ++ } ++ if (mh_bss_end_addr) { ++ if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { ++ fprintf(stderr, "invalid mh_bss_end_addr address\n"); ++ exit(1); ++ } ++ mb_kernel_size = mh_bss_end_addr - mh_load_addr; ++ } else { ++ mb_kernel_size = mb_load_size; + } + + /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE. +-- +2.17.0 + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 44a4ed2920..55ace5a56d 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -88,6 +88,7 @@ (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) + (patches (search-patches "qemu-CVE-2018-7550.patch")) (sha256 (base32 "11l6cs6mib16rgdrnqrhkqs033fjik316gkgfz3asbmxz38lalca")))) |