From e45f399bf94b07faa7def233ec4da7f4826fc31f Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 18 Apr 2018 10:56:50 -0400 Subject: gnu: qemu: Fix CVE-2018-7550. * gnu/packages/patches/qemu-CVE-2018-7550.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/virtualization.scm (qemu)[source]: Use it. --- gnu/packages/patches/qemu-CVE-2018-7550.patch | 66 +++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2018-7550.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/qemu-CVE-2018-7550.patch b/gnu/packages/patches/qemu-CVE-2018-7550.patch new file mode 100644 index 0000000000..43f111e206 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2018-7550.patch @@ -0,0 +1,66 @@ +Fix CVE-2018-7550: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7550 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=patch;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 + +From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001 +From: Jack Schwartz +Date: Thu, 21 Dec 2017 09:25:15 -0800 +Subject: [PATCH] multiboot: bss_end_addr can be zero + +The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), +section 3.1.3, allows for bss_end_addr to be zero. + +A zero bss_end_addr signifies there is no .bss section. + +Suggested-by: Daniel Kiper +Signed-off-by: Jack Schwartz +Reviewed-by: Daniel Kiper +Reviewed-by: Prasad J Pandit +Signed-off-by: Kevin Wolf +--- + hw/i386/multiboot.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c +index 46d9c68bf5..bb8d8e4629 100644 +--- a/hw/i386/multiboot.c ++++ b/hw/i386/multiboot.c +@@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg, + mh_entry_addr = ldl_p(header+i+28); + + if (mh_load_end_addr) { +- if (mh_bss_end_addr < mh_load_addr) { +- fprintf(stderr, "invalid mh_bss_end_addr address\n"); +- exit(1); +- } +- mb_kernel_size = mh_bss_end_addr - mh_load_addr; +- + if (mh_load_end_addr < mh_load_addr) { + fprintf(stderr, "invalid mh_load_end_addr address\n"); + exit(1); +@@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg, + fprintf(stderr, "invalid kernel_file_size\n"); + exit(1); + } +- mb_kernel_size = kernel_file_size - mb_kernel_text_offset; +- mb_load_size = mb_kernel_size; ++ mb_load_size = kernel_file_size - mb_kernel_text_offset; ++ } ++ if (mh_bss_end_addr) { ++ if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { ++ fprintf(stderr, "invalid mh_bss_end_addr address\n"); ++ exit(1); ++ } ++ mb_kernel_size = mh_bss_end_addr - mh_load_addr; ++ } else { ++ mb_kernel_size = mb_load_size; + } + + /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE. +-- +2.17.0 + -- cgit 1.4.1