diff options
| author | Mark H Weaver <mhw@netris.org> | 2016-02-02 21:57:43 -0500 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2016-02-03 00:05:22 -0500 |
| commit | fd9a5b0fc3594cf3c62099f01502a150a54823fc (patch) | |
| tree | bd8566f193f9a8921750a49a203395fa75f946bf /gnu/packages/patches/qemu-CVE-2015-8701.patch | |
| parent | 80cc3a0a4a4e3b7deca4d1e3e4533eb400e3fde9 (diff) | |
gnu: qemu: Update to 2.5.0; add fixes for security flaws.
* gnu/packages/patches/qemu-CVE-2015-6855.patch: Delete file.
* gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch,
gnu/packages/patches/qemu-CVE-2015-8558.patch,
gnu/packages/patches/qemu-CVE-2015-8567.patch,
gnu/packages/patches/qemu-CVE-2015-8613.patch,
gnu/packages/patches/qemu-CVE-2015-8701.patch,
gnu/packages/patches/qemu-CVE-2015-8743.patch,
gnu/packages/patches/qemu-CVE-2016-1568.patch,
gnu/packages/patches/qemu-CVE-2016-1922.patch: New files.
* gnu-system.am (dist_patch_DATA): Remove 'qemu-CVE-2015-6855.patch'; add the
new patches.
* gnu/packages/qemu.scm (qemu): Update to 2.5.0.
[source]: Remove old patches and add new ones.
[arguments]: Add 'disable-test-qga' phase.
(%glib-memory-vtable-patch, %glib-duplicate-test-patch): Remove variables.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2015-8701.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2015-8701.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2015-8701.patch b/gnu/packages/patches/qemu-CVE-2015-8701.patch new file mode 100644 index 0000000000..c7ab7b68b0 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-8701.patch @@ -0,0 +1,47 @@ +From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Mon, 28 Dec 2015 16:24:08 +0530 +Subject: [PATCH] net: rocker: fix an incorrect array bounds check + +While processing transmit(tx) descriptors in 'tx_consume' routine +the switch emulator suffers from an off-by-one error, if a +descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) +fragments. Fix an incorrect bounds check to avoid it. + +Reported-by: Qinghao Tang <luodalongde@gmail.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/rocker/rocker.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c +index c57f1a6..2e77e50 100644 +--- a/hw/net/rocker/rocker.c ++++ b/hw/net/rocker/rocker.c +@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) + frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); + frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); + ++ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { ++ goto err_too_many_frags; ++ } + iov[iovcnt].iov_len = frag_len; + iov[iovcnt].iov_base = g_malloc(frag_len); + if (!iov[iovcnt].iov_base) { +@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) + err = -ROCKER_ENXIO; + goto err_bad_io; + } +- +- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { +- goto err_too_many_frags; +- } ++ iovcnt++; + } + + if (iovcnt) { +-- +2.6.3 + |