summary refs log tree commit diff
path: root/gnu/packages/patches/qemu-CVE-2017-5898.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-5898.patch')
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5898.patch44
1 files changed, 44 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/patches/qemu-CVE-2017-5898.patch
new file mode 100644
index 0000000000..5a94bb1ae4
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5898.patch
@@ -0,0 +1,44 @@
+Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
+
+http://seclists.org/oss-sec/2017/q1/328
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
+
+From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 3 Feb 2017 00:52:28 +0530
+Subject: [PATCH] usb: ccid: check ccid apdu length
+
+CCID device emulator uses Application Protocol Data Units(APDU)
+to exchange command and responses to and from the host.
+The length in these units couldn't be greater than 65536. Add
+check to ensure the same. It'd also avoid potential integer
+overflow in emulated_apdu_from_guest.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170202192228.10847-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 89e11b68c4..1325ea1659 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
+     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
+                 recv->hdr.bSeq, len);
+     ccid_add_pending_answer(s, (CCID_Header *)recv);
+-    if (s->card) {
++    if (s->card && len <= BULK_OUT_DATA_SIZE) {
+         ccid_card_apdu_from_guest(s->card, recv->abData, len);
+     } else {
+         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
+-- 
+2.11.1
+