summary refs log tree commit diff
path: root/gnu/packages/patches/qemu-CVE-2017-14167.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-14167.patch')
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-14167.patch69
1 files changed, 0 insertions, 69 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-14167.patch b/gnu/packages/patches/qemu-CVE-2017-14167.patch
deleted file mode 100644
index a6007ac082..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-14167.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-Fix CVE-2017-14167:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167
-http://seclists.org/oss-sec/2017/q3/407
-
-Patch copied from upstream development mailing list:
-
-https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html
-
-From: Prasad J Pandit <address@hidden>
-
-While loading kernel via multiboot-v1 image, (flags & 0x00010000)
-indicates that multiboot header contains valid addresses to load
-the kernel image. These addresses are used to compute kernel
-size and kernel text offset in the OS image. Validate these
-address values to avoid an OOB access issue.
-
-This is CVE-2017-14167.
-
-Reported-by: Thomas Garnier <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/i386/multiboot.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-Update: add CVE-ID to the commit message.
-
-diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
-index 6001f4caa2..c7b70c91d5 100644
---- a/hw/i386/multiboot.c
-+++ b/hw/i386/multiboot.c
-@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
-         uint32_t mh_header_addr = ldl_p(header+i+12);
-         uint32_t mh_load_end_addr = ldl_p(header+i+20);
-         uint32_t mh_bss_end_addr = ldl_p(header+i+24);
-+
-         mh_load_addr = ldl_p(header+i+16);
-+        if (mh_header_addr < mh_load_addr) {
-+            fprintf(stderr, "invalid mh_load_addr address\n");
-+            exit(1);
-+        }
-+
-         uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
-         uint32_t mb_load_size = 0;
-         mh_entry_addr = ldl_p(header+i+28);
- 
-         if (mh_load_end_addr) {
-+            if (mh_bss_end_addr < mh_load_addr) {
-+                fprintf(stderr, "invalid mh_bss_end_addr address\n");
-+                exit(1);
-+            }
-             mb_kernel_size = mh_bss_end_addr - mh_load_addr;
-+
-+            if (mh_load_end_addr < mh_load_addr) {
-+                fprintf(stderr, "invalid mh_load_end_addr address\n");
-+                exit(1);
-+            }
-             mb_load_size = mh_load_end_addr - mh_load_addr;
-         } else {
-+            if (kernel_file_size < mb_kernel_text_offset) {
-+                fprintf(stderr, "invalid kernel_file_size\n");
-+                exit(1);
-+            }
-             mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
-             mb_load_size = mb_kernel_size;
-         }
--- 
-2.13.5
-