summary refs log tree commit diff
path: root/gnu/packages/patches/qemu-CVE-2015-8743.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-02-02 21:57:43 -0500
committerMark H Weaver <mhw@netris.org>2016-02-03 00:05:22 -0500
commitfd9a5b0fc3594cf3c62099f01502a150a54823fc (patch)
treebd8566f193f9a8921750a49a203395fa75f946bf /gnu/packages/patches/qemu-CVE-2015-8743.patch
parent80cc3a0a4a4e3b7deca4d1e3e4533eb400e3fde9 (diff)
downloadguix-fd9a5b0fc3594cf3c62099f01502a150a54823fc.tar.gz
gnu: qemu: Update to 2.5.0; add fixes for security flaws.
* gnu/packages/patches/qemu-CVE-2015-6855.patch: Delete file.
* gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch,
  gnu/packages/patches/qemu-CVE-2015-8558.patch,
  gnu/packages/patches/qemu-CVE-2015-8567.patch,
  gnu/packages/patches/qemu-CVE-2015-8613.patch,
  gnu/packages/patches/qemu-CVE-2015-8701.patch,
  gnu/packages/patches/qemu-CVE-2015-8743.patch,
  gnu/packages/patches/qemu-CVE-2016-1568.patch,
  gnu/packages/patches/qemu-CVE-2016-1922.patch: New files.
* gnu-system.am (dist_patch_DATA): Remove 'qemu-CVE-2015-6855.patch'; add the
  new patches.
* gnu/packages/qemu.scm (qemu): Update to 2.5.0.
  [source]: Remove old patches and add new ones.
  [arguments]: Add 'disable-test-qga' phase.
  (%glib-memory-vtable-patch, %glib-duplicate-test-patch): Remove variables.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2015-8743.patch')
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-8743.patch48
1 files changed, 48 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2015-8743.patch b/gnu/packages/patches/qemu-CVE-2015-8743.patch
new file mode 100644
index 0000000000..4a9d0e2f2d
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2015-8743.patch
@@ -0,0 +1,48 @@
+From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 31 Dec 2015 17:05:27 +0530
+Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
+
+While doing ioport r/w operations, ne2000 device emulation suffers
+from OOB r/w errors. Update respective array bounds check to avoid
+OOB access.
+
+Reported-by: Ling Liu <liuling-it@360.cn>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/ne2000.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 010f9ef..a3dffff 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
+                                      uint32_t val)
+ {
+     addr &= ~1; /* XXX: check exact behaviour if not even */
+-    if (addr < 32 ||
+-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++    if (addr < 32
++        || (addr >= NE2000_PMEM_START
++            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+         stl_le_p(s->mem + addr, val);
+     }
+ }
+@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
+ static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
+ {
+     addr &= ~1; /* XXX: check exact behaviour if not even */
+-    if (addr < 32 ||
+-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++    if (addr < 32
++        || (addr >= NE2000_PMEM_START
++            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+         return ldl_le_p(s->mem + addr);
+     } else {
+         return 0xffffffff;
+-- 
+2.6.3
+