* [PATCH][dizzy] qemu-slirp: CVE-2014-3640
@ 2015-08-25 9:50 Sona Sarmadi
2015-08-28 16:40 ` akuster808
0 siblings, 1 reply; 2+ messages in thread
From: Sona Sarmadi @ 2015-08-25 9:50 UTC (permalink / raw)
To: openembedded-core
Fixes NULL pointer deref in sosendto().
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640
Upstream patch:
http://git.qemu.org/?p=qemu.git;a=commit;
h=9a72433843d912a45046959b1953861211d1838d
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
.../qemu/qemu/slirp-CVE-2014-3640.patch | 48 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 +
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
new file mode 100644
index 0000000..a7ecf31
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
@@ -0,0 +1,48 @@
+From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Thu, 18 Sep 2014 08:35:37 +0200
+Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
+ uninitialized socket
+
+When guest sends udp packet with source port and source addr 0,
+uninitialized socket is picked up when looking for matching and already
+created udp sockets, and later passed to sosendto() where NULL pointer
+dereference is hit during so->slirp->vnetwork_mask.s_addr access.
+
+Fix this by checking that the socket is not just a socket stub.
+
+This is CVE-2014-3640.
+
+Upstream-Status: Backport
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
+Reported-by: Stephane Duverger <stephane.duverger@eads.net>
+Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ slirp/udp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/slirp/udp.c b/slirp/udp.c
+index 8cc6cb6..f77e00f 100644
+--- a/slirp/udp.c
++++ b/slirp/udp.c
+@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
+ * Locate pcb for datagram.
+ */
+ so = slirp->udp_last_so;
+- if (so->so_lport != uh->uh_sport ||
++ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
+ so->so_laddr.s_addr != ip->ip_src.s_addr) {
+ struct socket *tmp;
+
+--
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
index 444a422..92a89d6 100644
--- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://qemu-CVE-2015-3456.patch \
file://CVE-2014-7840.patch \
file://vnc-CVE-2014-7815.patch \
+ file://slirp-CVE-2014-3640.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"
--
1.9.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH][dizzy] qemu-slirp: CVE-2014-3640
2015-08-25 9:50 [PATCH][dizzy] qemu-slirp: CVE-2014-3640 Sona Sarmadi
@ 2015-08-28 16:40 ` akuster808
0 siblings, 0 replies; 2+ messages in thread
From: akuster808 @ 2015-08-28 16:40 UTC (permalink / raw)
To: openembedded-core
merged to staging
thanks
- armin
On 08/25/2015 02:50 AM, Sona Sarmadi wrote:
> Fixes NULL pointer deref in sosendto().
>
> Reference:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640
>
> Upstream patch:
> http://git.qemu.org/?p=qemu.git;a=commit;
> h=9a72433843d912a45046959b1953861211d1838d
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> ---
> .../qemu/qemu/slirp-CVE-2014-3640.patch | 48 ++++++++++++++++++++++
> meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 +
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
> new file mode 100644
> index 0000000..a7ecf31
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
> @@ -0,0 +1,48 @@
> +From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001
> +From: Petr Matousek <pmatouse@redhat.com>
> +Date: Thu, 18 Sep 2014 08:35:37 +0200
> +Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
> + uninitialized socket
> +
> +When guest sends udp packet with source port and source addr 0,
> +uninitialized socket is picked up when looking for matching and already
> +created udp sockets, and later passed to sosendto() where NULL pointer
> +dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> +
> +Fix this by checking that the socket is not just a socket stub.
> +
> +This is CVE-2014-3640.
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> +Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> +Reported-by: Stephane Duverger <stephane.duverger@eads.net>
> +Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
> +Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> +(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
> +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> + slirp/udp.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/slirp/udp.c b/slirp/udp.c
> +index 8cc6cb6..f77e00f 100644
> +--- a/slirp/udp.c
> ++++ b/slirp/udp.c
> +@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
> + * Locate pcb for datagram.
> + */
> + so = slirp->udp_last_so;
> +- if (so->so_lport != uh->uh_sport ||
> ++ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
> + so->so_laddr.s_addr != ip->ip_src.s_addr) {
> + struct socket *tmp;
> +
> +--
> +1.9.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
> index 444a422..92a89d6 100644
> --- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb
> +++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
> @@ -10,6 +10,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
> file://qemu-CVE-2015-3456.patch \
> file://CVE-2014-7840.patch \
> file://vnc-CVE-2014-7815.patch \
> + file://slirp-CVE-2014-3640.patch \
> "
> SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
> SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-08-28 16:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-25 9:50 [PATCH][dizzy] qemu-slirp: CVE-2014-3640 Sona Sarmadi
2015-08-28 16:40 ` akuster808
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox