Rebased to version 2.3.1
This commit is contained in:
parent
cce96bf59a
commit
7fbffc1697
@ -1,82 +0,0 @@
|
|||||||
From: Petr Matousek <pmatouse@redhat.com>
|
|
||||||
Date: Wed, 6 May 2015 09:48:59 +0200
|
|
||||||
Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
|
|
||||||
buffer
|
|
||||||
|
|
||||||
During processing of certain commands such as FD_CMD_READ_ID and
|
|
||||||
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
|
|
||||||
get out of bounds leading to memory corruption with values coming
|
|
||||||
from the guest.
|
|
||||||
|
|
||||||
Fix this by making sure that the index is always bounded by the
|
|
||||||
allocated memory.
|
|
||||||
|
|
||||||
This is CVE-2015-3456.
|
|
||||||
|
|
||||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
||||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
|
||||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
|
||||||
(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
|
|
||||||
---
|
|
||||||
hw/block/fdc.c | 17 +++++++++++------
|
|
||||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
|
|
||||||
index 2bf87c9..a9de4ab 100644
|
|
||||||
--- a/hw/block/fdc.c
|
|
||||||
+++ b/hw/block/fdc.c
|
|
||||||
@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
|
||||||
{
|
|
||||||
FDrive *cur_drv;
|
|
||||||
uint32_t retval = 0;
|
|
||||||
- int pos;
|
|
||||||
+ uint32_t pos;
|
|
||||||
|
|
||||||
cur_drv = get_cur_drv(fdctrl);
|
|
||||||
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
|
||||||
@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
pos = fdctrl->data_pos;
|
|
||||||
+ pos %= FD_SECTOR_LEN;
|
|
||||||
if (fdctrl->msr & FD_MSR_NONDMA) {
|
|
||||||
- pos %= FD_SECTOR_LEN;
|
|
||||||
if (pos == 0) {
|
|
||||||
if (fdctrl->data_pos != 0)
|
|
||||||
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
|
||||||
@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
|
|
||||||
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
|
||||||
{
|
|
||||||
FDrive *cur_drv = get_cur_drv(fdctrl);
|
|
||||||
+ uint32_t pos;
|
|
||||||
|
|
||||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
|
||||||
+ pos = fdctrl->data_pos - 1;
|
|
||||||
+ pos %= FD_SECTOR_LEN;
|
|
||||||
+ if (fdctrl->fifo[pos] & 0x80) {
|
|
||||||
/* Command parameters done */
|
|
||||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
|
||||||
+ if (fdctrl->fifo[pos] & 0x40) {
|
|
||||||
fdctrl->fifo[0] = fdctrl->fifo[1];
|
|
||||||
fdctrl->fifo[2] = 0;
|
|
||||||
fdctrl->fifo[3] = 0;
|
|
||||||
@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
|
|
||||||
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
|
||||||
{
|
|
||||||
FDrive *cur_drv;
|
|
||||||
- int pos;
|
|
||||||
+ uint32_t pos;
|
|
||||||
|
|
||||||
/* Reset mode */
|
|
||||||
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
|
||||||
@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
|
||||||
}
|
|
||||||
|
|
||||||
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
|
||||||
- fdctrl->fifo[fdctrl->data_pos++] = value;
|
|
||||||
+ pos = fdctrl->data_pos++;
|
|
||||||
+ pos %= FD_SECTOR_LEN;
|
|
||||||
+ fdctrl->fifo[pos] = value;
|
|
||||||
if (fdctrl->data_pos == fdctrl->data_len) {
|
|
||||||
/* We now have all parameters
|
|
||||||
* and will be able to treat the command
|
|
@ -17,10 +17,10 @@ Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|||||||
1 file changed, 12 insertions(+), 10 deletions(-)
|
1 file changed, 12 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
|
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
|
||||||
index 6cbae1d..6b83b3e 100644
|
index 63c0085..d4f3351 100644
|
||||||
--- a/block/qcow2-refcount.c
|
--- a/block/qcow2-refcount.c
|
||||||
+++ b/block/qcow2-refcount.c
|
+++ b/block/qcow2-refcount.c
|
||||||
@@ -949,19 +949,21 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size)
|
@@ -954,19 +954,21 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size)
|
||||||
}
|
}
|
||||||
|
|
||||||
free_in_cluster = s->cluster_size - offset_into_cluster(s, offset);
|
free_in_cluster = s->cluster_size - offset_into_cluster(s, offset);
|
@ -1,49 +0,0 @@
|
|||||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
Date: Tue, 9 Jun 2015 21:08:47 +0200
|
|
||||||
Subject: [PATCH] spice-display: fix segfault in qemu_spice_create_update
|
|
||||||
|
|
||||||
Although it is pretty unusual the stride for the guest image and the
|
|
||||||
mirror image maintained by spice-display can be different. So use
|
|
||||||
separate variables for them.
|
|
||||||
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1163047
|
|
||||||
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Reported-by: perrier vincent <clownix@clownix.net>
|
|
||||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
(cherry picked from commit c6e484707f28b3e115e64122a0570f6b3c585489)
|
|
||||||
---
|
|
||||||
ui/spice-display.c | 9 +++++----
|
|
||||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ui/spice-display.c b/ui/spice-display.c
|
|
||||||
index 1644185..5935564 100644
|
|
||||||
--- a/ui/spice-display.c
|
|
||||||
+++ b/ui/spice-display.c
|
|
||||||
@@ -199,7 +199,7 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd)
|
|
||||||
static const int blksize = 32;
|
|
||||||
int blocks = (surface_width(ssd->ds) + blksize - 1) / blksize;
|
|
||||||
int dirty_top[blocks];
|
|
||||||
- int y, yoff, x, xoff, blk, bw;
|
|
||||||
+ int y, yoff1, yoff2, x, xoff, blk, bw;
|
|
||||||
int bpp = surface_bytes_per_pixel(ssd->ds);
|
|
||||||
uint8_t *guest, *mirror;
|
|
||||||
|
|
||||||
@@ -214,13 +214,14 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd)
|
|
||||||
guest = surface_data(ssd->ds);
|
|
||||||
mirror = (void *)pixman_image_get_data(ssd->mirror);
|
|
||||||
for (y = ssd->dirty.top; y < ssd->dirty.bottom; y++) {
|
|
||||||
- yoff = y * surface_stride(ssd->ds);
|
|
||||||
+ yoff1 = y * surface_stride(ssd->ds);
|
|
||||||
+ yoff2 = y * pixman_image_get_stride(ssd->mirror);
|
|
||||||
for (x = ssd->dirty.left; x < ssd->dirty.right; x += blksize) {
|
|
||||||
xoff = x * bpp;
|
|
||||||
blk = x / blksize;
|
|
||||||
bw = MIN(blksize, ssd->dirty.right - x);
|
|
||||||
- if (memcmp(guest + yoff + xoff,
|
|
||||||
- mirror + yoff + xoff,
|
|
||||||
+ if (memcmp(guest + yoff1 + xoff,
|
|
||||||
+ mirror + yoff2 + xoff,
|
|
||||||
bw * bpp) == 0) {
|
|
||||||
if (dirty_top[blk] != -1) {
|
|
||||||
QXLRect update = {
|
|
@ -1,40 +0,0 @@
|
|||||||
From: Petr Matousek <pmatouse@redhat.com>
|
|
||||||
Date: Wed, 17 Jun 2015 12:46:11 +0200
|
|
||||||
Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read()
|
|
||||||
|
|
||||||
Due converting PIO to the new memory read/write api we no longer provide
|
|
||||||
separate I/O region lenghts for read and write operations. As a result,
|
|
||||||
reading from PIT Mode/Command register will end with accessing
|
|
||||||
pit->channels with invalid index.
|
|
||||||
|
|
||||||
Fix this by ignoring read from the Mode/Command register.
|
|
||||||
|
|
||||||
This is CVE-2015-3214.
|
|
||||||
|
|
||||||
Reported-by: Matt Tait <matttait@google.com>
|
|
||||||
Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit d4862a87e31a51de9eb260f25c9e99a75efe3235)
|
|
||||||
---
|
|
||||||
hw/timer/i8254.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
|
|
||||||
index 3450c98..9b65a33 100644
|
|
||||||
--- a/hw/timer/i8254.c
|
|
||||||
+++ b/hw/timer/i8254.c
|
|
||||||
@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
|
|
||||||
PITChannelState *s;
|
|
||||||
|
|
||||||
addr &= 3;
|
|
||||||
+
|
|
||||||
+ if (addr == 3) {
|
|
||||||
+ /* Mode/Command register is write only, read is ignored */
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
s = &pit->channels[addr];
|
|
||||||
if (s->status_latched) {
|
|
||||||
s->status_latched = 0;
|
|
@ -1,46 +0,0 @@
|
|||||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Date: Tue, 21 Jul 2015 08:59:39 +0200
|
|
||||||
Subject: [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb
|
|
||||||
(CVE-2015-5158)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
|
|
||||||
and newer. scsi_cdb_length returns -1 as an error value, but the
|
|
||||||
caller does not check it.
|
|
||||||
|
|
||||||
Luckily, the massive overflow means that QEMU will just SIGSEGV,
|
|
||||||
making the impact much smaller.
|
|
||||||
|
|
||||||
Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
|
|
||||||
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
|
|
||||||
Reviewed-by: Fam Zheng <famz@redhat.com>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit c170aad8b057223b1139d72e5ce7acceafab4fa9)
|
|
||||||
---
|
|
||||||
hw/scsi/scsi-bus.c | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
|
|
||||||
index bd2c0e4..0c506db 100644
|
|
||||||
--- a/hw/scsi/scsi-bus.c
|
|
||||||
+++ b/hw/scsi/scsi-bus.c
|
|
||||||
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
|
|
||||||
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
|
|
||||||
{
|
|
||||||
int rc;
|
|
||||||
+ int len;
|
|
||||||
|
|
||||||
cmd->lba = -1;
|
|
||||||
- cmd->len = scsi_cdb_length(buf);
|
|
||||||
+ len = scsi_cdb_length(buf);
|
|
||||||
+ if (len < 0) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
+ cmd->len = len;
|
|
||||||
switch (dev->type) {
|
|
||||||
case TYPE_TAPE:
|
|
||||||
rc = scsi_req_stream_xfer(cmd, dev, buf);
|
|
@ -1,75 +0,0 @@
|
|||||||
From: Kevin Wolf <kwolf@redhat.com>
|
|
||||||
Date: Sun, 26 Jul 2015 23:42:53 -0400
|
|
||||||
Subject: [PATCH] ide: Check array bounds before writing to io_buffer
|
|
||||||
(CVE-2015-5154)
|
|
||||||
|
|
||||||
If the end_transfer_func of a command is called because enough data has
|
|
||||||
been read or written for the current PIO transfer, and it fails to
|
|
||||||
correctly call the command completion functions, the DRQ bit in the
|
|
||||||
status register and s->end_transfer_func may remain set. This allows the
|
|
||||||
guest to access further bytes in s->io_buffer beyond s->data_end, and
|
|
||||||
eventually overflowing the io_buffer.
|
|
||||||
|
|
||||||
One case where this currently happens is emulation of the ATAPI command
|
|
||||||
START STOP UNIT.
|
|
||||||
|
|
||||||
This patch fixes the problem by adding explicit array bounds checks
|
|
||||||
before accessing the buffer instead of relying on end_transfer_func to
|
|
||||||
function correctly.
|
|
||||||
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
||||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
|
||||||
(cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6)
|
|
||||||
---
|
|
||||||
hw/ide/core.c | 16 ++++++++++++++++
|
|
||||||
1 file changed, 16 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
|
||||||
index a895fd8..17153f5 100644
|
|
||||||
--- a/hw/ide/core.c
|
|
||||||
+++ b/hw/ide/core.c
|
|
||||||
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
|
|
||||||
}
|
|
||||||
|
|
||||||
p = s->data_ptr;
|
|
||||||
+ if (p + 2 > s->data_end) {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
*(uint16_t *)p = le16_to_cpu(val);
|
|
||||||
p += 2;
|
|
||||||
s->data_ptr = p;
|
|
||||||
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
|
|
||||||
}
|
|
||||||
|
|
||||||
p = s->data_ptr;
|
|
||||||
+ if (p + 2 > s->data_end) {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = cpu_to_le16(*(uint16_t *)p);
|
|
||||||
p += 2;
|
|
||||||
s->data_ptr = p;
|
|
||||||
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
|
|
||||||
}
|
|
||||||
|
|
||||||
p = s->data_ptr;
|
|
||||||
+ if (p + 4 > s->data_end) {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
*(uint32_t *)p = le32_to_cpu(val);
|
|
||||||
p += 4;
|
|
||||||
s->data_ptr = p;
|
|
||||||
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
|
|
||||||
}
|
|
||||||
|
|
||||||
p = s->data_ptr;
|
|
||||||
+ if (p + 4 > s->data_end) {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = cpu_to_le32(*(uint32_t *)p);
|
|
||||||
p += 4;
|
|
||||||
s->data_ptr = p;
|
|
@ -1,26 +0,0 @@
|
|||||||
From: Kevin Wolf <kwolf@redhat.com>
|
|
||||||
Date: Sun, 26 Jul 2015 23:42:53 -0400
|
|
||||||
Subject: [PATCH] ide/atapi: Fix START STOP UNIT command completion
|
|
||||||
|
|
||||||
The command must be completed on all code paths. START STOP UNIT with
|
|
||||||
pwrcnd set should succeed without doing anything.
|
|
||||||
|
|
||||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
||||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
|
||||||
(cherry picked from commit 03441c3a4a42beb25460dd11592539030337d0f8)
|
|
||||||
---
|
|
||||||
hw/ide/atapi.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
|
|
||||||
index 950e311..79dd167 100644
|
|
||||||
--- a/hw/ide/atapi.c
|
|
||||||
+++ b/hw/ide/atapi.c
|
|
||||||
@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
|
|
||||||
|
|
||||||
if (pwrcnd) {
|
|
||||||
/* eject/load only happens for power condition == 0 */
|
|
||||||
+ ide_atapi_cmd_ok(s);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
@ -1,69 +0,0 @@
|
|||||||
From: Kevin Wolf <kwolf@redhat.com>
|
|
||||||
Date: Sun, 26 Jul 2015 23:42:53 -0400
|
|
||||||
Subject: [PATCH] ide: Clear DRQ after handling all expected accesses
|
|
||||||
|
|
||||||
This is additional hardening against an end_transfer_func that fails to
|
|
||||||
clear the DRQ status bit. The bit must be unset as soon as the PIO
|
|
||||||
transfer has completed, so it's better to do this in a central place
|
|
||||||
instead of duplicating the code in all commands (and forgetting it in
|
|
||||||
some).
|
|
||||||
|
|
||||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
||||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
|
||||||
(cherry picked from commit cb72cba83021fa42719e73a5249c12096a4d1cfc)
|
|
||||||
---
|
|
||||||
hw/ide/core.c | 16 ++++++++++++----
|
|
||||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
|
||||||
index 17153f5..822519b 100644
|
|
||||||
--- a/hw/ide/core.c
|
|
||||||
+++ b/hw/ide/core.c
|
|
||||||
@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
|
|
||||||
*(uint16_t *)p = le16_to_cpu(val);
|
|
||||||
p += 2;
|
|
||||||
s->data_ptr = p;
|
|
||||||
- if (p >= s->data_end)
|
|
||||||
+ if (p >= s->data_end) {
|
|
||||||
+ s->status &= ~DRQ_STAT;
|
|
||||||
s->end_transfer_func(s);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
uint32_t ide_data_readw(void *opaque, uint32_t addr)
|
|
||||||
@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
|
|
||||||
ret = cpu_to_le16(*(uint16_t *)p);
|
|
||||||
p += 2;
|
|
||||||
s->data_ptr = p;
|
|
||||||
- if (p >= s->data_end)
|
|
||||||
+ if (p >= s->data_end) {
|
|
||||||
+ s->status &= ~DRQ_STAT;
|
|
||||||
s->end_transfer_func(s);
|
|
||||||
+ }
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
|
|
||||||
*(uint32_t *)p = le32_to_cpu(val);
|
|
||||||
p += 4;
|
|
||||||
s->data_ptr = p;
|
|
||||||
- if (p >= s->data_end)
|
|
||||||
+ if (p >= s->data_end) {
|
|
||||||
+ s->status &= ~DRQ_STAT;
|
|
||||||
s->end_transfer_func(s);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
uint32_t ide_data_readl(void *opaque, uint32_t addr)
|
|
||||||
@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
|
|
||||||
ret = cpu_to_le32(*(uint32_t *)p);
|
|
||||||
p += 4;
|
|
||||||
s->data_ptr = p;
|
|
||||||
- if (p >= s->data_end)
|
|
||||||
+ if (p >= s->data_end) {
|
|
||||||
+ s->status &= ~DRQ_STAT;
|
|
||||||
s->end_transfer_func(s);
|
|
||||||
+ }
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
||||||
Date: Mon, 3 Aug 2015 13:56:57 +0000
|
|
||||||
Subject: [PATCH] Fix release_drive on unplugged devices
|
|
||||||
(pci_piix3_xen_ide_unplug)
|
|
||||||
|
|
||||||
pci_piix3_xen_ide_unplug should completely unhook the unplugged
|
|
||||||
IDEDevice from the corresponding BlockBackend, otherwise the next call
|
|
||||||
to release_drive will try to detach the drive again.
|
|
||||||
|
|
||||||
Suggested-by: Kevin Wolf <kwolf@redhat.com>
|
|
||||||
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
||||||
(cherry picked from commit 6cd387833d05e8ad31829d97e474dc420625aed9)
|
|
||||||
---
|
|
||||||
hw/ide/piix.c | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/hw/ide/piix.c b/hw/ide/piix.c
|
|
||||||
index adb6649..5a26c86 100644
|
|
||||||
--- a/hw/ide/piix.c
|
|
||||||
+++ b/hw/ide/piix.c
|
|
||||||
@@ -169,6 +169,7 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev)
|
|
||||||
PCIIDEState *pci_ide;
|
|
||||||
DriveInfo *di;
|
|
||||||
int i;
|
|
||||||
+ IDEDevice *idedev;
|
|
||||||
|
|
||||||
pci_ide = PCI_IDE(dev);
|
|
||||||
|
|
||||||
@@ -181,6 +182,12 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev)
|
|
||||||
blk_detach_dev(blk, ds);
|
|
||||||
}
|
|
||||||
pci_ide->bus[di->bus].ifs[di->unit].blk = NULL;
|
|
||||||
+ if (!(i % 2)) {
|
|
||||||
+ idedev = pci_ide->bus[di->bus].master;
|
|
||||||
+ } else {
|
|
||||||
+ idedev = pci_ide->bus[di->bus].slave;
|
|
||||||
+ }
|
|
||||||
+ idedev->conf.blk = NULL;
|
|
||||||
blk_unref(blk);
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,85 +0,0 @@
|
|||||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
Date: Wed, 15 Jul 2015 17:13:32 +0100
|
|
||||||
Subject: [PATCH] rtl8139: avoid nested ifs in IP header parsing
|
|
||||||
(CVE-2015-5165)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Transmit offload needs to parse packet headers. If header fields have
|
|
||||||
unexpected values the offload processing is skipped.
|
|
||||||
|
|
||||||
The code currently uses nested ifs because there is relatively little
|
|
||||||
input validation. The next patches will add missing input validation
|
|
||||||
and a goto label is more appropriate to avoid deep if statement nesting.
|
|
||||||
|
|
||||||
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
|
|
||||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
(cherry picked from commit 39b8e7dcaf04cbdb926b478f825b160d852752b5)
|
|
||||||
---
|
|
||||||
hw/net/rtl8139.c | 41 ++++++++++++++++++++++-------------------
|
|
||||||
1 file changed, 22 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
||||||
index f868108..8306b26 100644
|
|
||||||
--- a/hw/net/rtl8139.c
|
|
||||||
+++ b/hw/net/rtl8139.c
|
|
||||||
@@ -2160,28 +2160,30 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
size_t eth_payload_len = 0;
|
|
||||||
|
|
||||||
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
|
|
||||||
- if (proto == ETH_P_IP)
|
|
||||||
+ if (proto != ETH_P_IP)
|
|
||||||
{
|
|
||||||
- DPRINTF("+++ C+ mode has IP packet\n");
|
|
||||||
-
|
|
||||||
- /* not aligned */
|
|
||||||
- eth_payload_data = saved_buffer + ETH_HLEN;
|
|
||||||
- eth_payload_len = saved_size - ETH_HLEN;
|
|
||||||
-
|
|
||||||
- ip = (ip_header*)eth_payload_data;
|
|
||||||
-
|
|
||||||
- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
|
|
||||||
- DPRINTF("+++ C+ mode packet has bad IP version %d "
|
|
||||||
- "expected %d\n", IP_HEADER_VERSION(ip),
|
|
||||||
- IP_HEADER_VERSION_4);
|
|
||||||
- ip = NULL;
|
|
||||||
- } else {
|
|
||||||
- hlen = IP_HEADER_LENGTH(ip);
|
|
||||||
- ip_protocol = ip->ip_p;
|
|
||||||
- ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
|
|
||||||
- }
|
|
||||||
+ goto skip_offload;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ DPRINTF("+++ C+ mode has IP packet\n");
|
|
||||||
+
|
|
||||||
+ /* not aligned */
|
|
||||||
+ eth_payload_data = saved_buffer + ETH_HLEN;
|
|
||||||
+ eth_payload_len = saved_size - ETH_HLEN;
|
|
||||||
+
|
|
||||||
+ ip = (ip_header*)eth_payload_data;
|
|
||||||
+
|
|
||||||
+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
|
|
||||||
+ DPRINTF("+++ C+ mode packet has bad IP version %d "
|
|
||||||
+ "expected %d\n", IP_HEADER_VERSION(ip),
|
|
||||||
+ IP_HEADER_VERSION_4);
|
|
||||||
+ goto skip_offload;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ hlen = IP_HEADER_LENGTH(ip);
|
|
||||||
+ ip_protocol = ip->ip_p;
|
|
||||||
+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
|
|
||||||
+
|
|
||||||
if (ip)
|
|
||||||
{
|
|
||||||
if (txdw0 & CP_TX_IPCS)
|
|
||||||
@@ -2377,6 +2379,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+skip_offload:
|
|
||||||
/* update tally counter */
|
|
||||||
++s->tally_counters.TxOk;
|
|
||||||
|
|
@ -1,376 +0,0 @@
|
|||||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
Date: Wed, 15 Jul 2015 17:17:28 +0100
|
|
||||||
Subject: [PATCH] rtl8139: drop tautologous if (ip) {...} statement
|
|
||||||
(CVE-2015-5165)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The previous patch stopped using the ip pointer as an indicator that the
|
|
||||||
IP header is present. When we reach the if (ip) {...} statement we know
|
|
||||||
ip is always non-NULL.
|
|
||||||
|
|
||||||
Remove the if statement to reduce nesting.
|
|
||||||
|
|
||||||
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
|
|
||||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
(cherry picked from commit d6812d60e7932de3cd0f602c0ee63dd3d09f1847)
|
|
||||||
---
|
|
||||||
hw/net/rtl8139.c | 305 +++++++++++++++++++++++++++----------------------------
|
|
||||||
1 file changed, 151 insertions(+), 154 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
||||||
index 8306b26..c044dee 100644
|
|
||||||
--- a/hw/net/rtl8139.c
|
|
||||||
+++ b/hw/net/rtl8139.c
|
|
||||||
@@ -2184,198 +2184,195 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
ip_protocol = ip->ip_p;
|
|
||||||
ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
|
|
||||||
|
|
||||||
- if (ip)
|
|
||||||
+ if (txdw0 & CP_TX_IPCS)
|
|
||||||
{
|
|
||||||
- if (txdw0 & CP_TX_IPCS)
|
|
||||||
- {
|
|
||||||
- DPRINTF("+++ C+ mode need IP checksum\n");
|
|
||||||
+ DPRINTF("+++ C+ mode need IP checksum\n");
|
|
||||||
|
|
||||||
- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
|
|
||||||
- /* bad packet header len */
|
|
||||||
- /* or packet too short */
|
|
||||||
- }
|
|
||||||
- else
|
|
||||||
- {
|
|
||||||
- ip->ip_sum = 0;
|
|
||||||
- ip->ip_sum = ip_checksum(ip, hlen);
|
|
||||||
- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
|
|
||||||
- hlen, ip->ip_sum);
|
|
||||||
- }
|
|
||||||
+ if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
|
|
||||||
+ /* bad packet header len */
|
|
||||||
+ /* or packet too short */
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
|
|
||||||
+ else
|
|
||||||
{
|
|
||||||
- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
|
|
||||||
+ ip->ip_sum = 0;
|
|
||||||
+ ip->ip_sum = ip_checksum(ip, hlen);
|
|
||||||
+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
|
|
||||||
+ hlen, ip->ip_sum);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "
|
|
||||||
- "frame data %d specified MSS=%d\n", ETH_MTU,
|
|
||||||
- ip_data_len, saved_size - ETH_HLEN, large_send_mss);
|
|
||||||
+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
|
|
||||||
+ {
|
|
||||||
+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
|
|
||||||
|
|
||||||
- int tcp_send_offset = 0;
|
|
||||||
- int send_count = 0;
|
|
||||||
+ DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "
|
|
||||||
+ "frame data %d specified MSS=%d\n", ETH_MTU,
|
|
||||||
+ ip_data_len, saved_size - ETH_HLEN, large_send_mss);
|
|
||||||
|
|
||||||
- /* maximum IP header length is 60 bytes */
|
|
||||||
- uint8_t saved_ip_header[60];
|
|
||||||
+ int tcp_send_offset = 0;
|
|
||||||
+ int send_count = 0;
|
|
||||||
|
|
||||||
- /* save IP header template; data area is used in tcp checksum calculation */
|
|
||||||
- memcpy(saved_ip_header, eth_payload_data, hlen);
|
|
||||||
+ /* maximum IP header length is 60 bytes */
|
|
||||||
+ uint8_t saved_ip_header[60];
|
|
||||||
|
|
||||||
- /* a placeholder for checksum calculation routine in tcp case */
|
|
||||||
- uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
|
|
||||||
- // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
|
|
||||||
+ /* save IP header template; data area is used in tcp checksum calculation */
|
|
||||||
+ memcpy(saved_ip_header, eth_payload_data, hlen);
|
|
||||||
|
|
||||||
- /* pointer to TCP header */
|
|
||||||
- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
|
|
||||||
+ /* a placeholder for checksum calculation routine in tcp case */
|
|
||||||
+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
|
|
||||||
+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
|
|
||||||
|
|
||||||
- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
|
|
||||||
+ /* pointer to TCP header */
|
|
||||||
+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
|
|
||||||
|
|
||||||
- /* ETH_MTU = ip header len + tcp header len + payload */
|
|
||||||
- int tcp_data_len = ip_data_len - tcp_hlen;
|
|
||||||
- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
|
|
||||||
+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
|
|
||||||
|
|
||||||
- DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP "
|
|
||||||
- "data len %d TCP chunk size %d\n", ip_data_len,
|
|
||||||
- tcp_hlen, tcp_data_len, tcp_chunk_size);
|
|
||||||
+ /* ETH_MTU = ip header len + tcp header len + payload */
|
|
||||||
+ int tcp_data_len = ip_data_len - tcp_hlen;
|
|
||||||
+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
|
|
||||||
|
|
||||||
- /* note the cycle below overwrites IP header data,
|
|
||||||
- but restores it from saved_ip_header before sending packet */
|
|
||||||
+ DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP "
|
|
||||||
+ "data len %d TCP chunk size %d\n", ip_data_len,
|
|
||||||
+ tcp_hlen, tcp_data_len, tcp_chunk_size);
|
|
||||||
|
|
||||||
- int is_last_frame = 0;
|
|
||||||
+ /* note the cycle below overwrites IP header data,
|
|
||||||
+ but restores it from saved_ip_header before sending packet */
|
|
||||||
|
|
||||||
- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
|
|
||||||
- {
|
|
||||||
- uint16_t chunk_size = tcp_chunk_size;
|
|
||||||
-
|
|
||||||
- /* check if this is the last frame */
|
|
||||||
- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
|
|
||||||
- {
|
|
||||||
- is_last_frame = 1;
|
|
||||||
- chunk_size = tcp_data_len - tcp_send_offset;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- DPRINTF("+++ C+ mode TSO TCP seqno %08x\n",
|
|
||||||
- be32_to_cpu(p_tcp_hdr->th_seq));
|
|
||||||
-
|
|
||||||
- /* add 4 TCP pseudoheader fields */
|
|
||||||
- /* copy IP source and destination fields */
|
|
||||||
- memcpy(data_to_checksum, saved_ip_header + 12, 8);
|
|
||||||
-
|
|
||||||
- DPRINTF("+++ C+ mode TSO calculating TCP checksum for "
|
|
||||||
- "packet with %d bytes data\n", tcp_hlen +
|
|
||||||
- chunk_size);
|
|
||||||
-
|
|
||||||
- if (tcp_send_offset)
|
|
||||||
- {
|
|
||||||
- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* keep PUSH and FIN flags only for the last frame */
|
|
||||||
- if (!is_last_frame)
|
|
||||||
- {
|
|
||||||
- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* recalculate TCP checksum */
|
|
||||||
- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
|
|
||||||
- p_tcpip_hdr->zeros = 0;
|
|
||||||
- p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
|
|
||||||
- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
|
|
||||||
-
|
|
||||||
- p_tcp_hdr->th_sum = 0;
|
|
||||||
-
|
|
||||||
- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
|
|
||||||
- DPRINTF("+++ C+ mode TSO TCP checksum %04x\n",
|
|
||||||
- tcp_checksum);
|
|
||||||
-
|
|
||||||
- p_tcp_hdr->th_sum = tcp_checksum;
|
|
||||||
-
|
|
||||||
- /* restore IP header */
|
|
||||||
- memcpy(eth_payload_data, saved_ip_header, hlen);
|
|
||||||
-
|
|
||||||
- /* set IP data length and recalculate IP checksum */
|
|
||||||
- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
|
|
||||||
-
|
|
||||||
- /* increment IP id for subsequent frames */
|
|
||||||
- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
|
|
||||||
-
|
|
||||||
- ip->ip_sum = 0;
|
|
||||||
- ip->ip_sum = ip_checksum(eth_payload_data, hlen);
|
|
||||||
- DPRINTF("+++ C+ mode TSO IP header len=%d "
|
|
||||||
- "checksum=%04x\n", hlen, ip->ip_sum);
|
|
||||||
-
|
|
||||||
- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
|
|
||||||
- DPRINTF("+++ C+ mode TSO transferring packet size "
|
|
||||||
- "%d\n", tso_send_size);
|
|
||||||
- rtl8139_transfer_frame(s, saved_buffer, tso_send_size,
|
|
||||||
- 0, (uint8_t *) dot1q_buffer);
|
|
||||||
-
|
|
||||||
- /* add transferred count to TCP sequence number */
|
|
||||||
- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq));
|
|
||||||
- ++send_count;
|
|
||||||
- }
|
|
||||||
+ int is_last_frame = 0;
|
|
||||||
|
|
||||||
- /* Stop sending this frame */
|
|
||||||
- saved_size = 0;
|
|
||||||
- }
|
|
||||||
- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
|
|
||||||
+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
|
|
||||||
{
|
|
||||||
- DPRINTF("+++ C+ mode need TCP or UDP checksum\n");
|
|
||||||
+ uint16_t chunk_size = tcp_chunk_size;
|
|
||||||
|
|
||||||
- /* maximum IP header length is 60 bytes */
|
|
||||||
- uint8_t saved_ip_header[60];
|
|
||||||
- memcpy(saved_ip_header, eth_payload_data, hlen);
|
|
||||||
+ /* check if this is the last frame */
|
|
||||||
+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
|
|
||||||
+ {
|
|
||||||
+ is_last_frame = 1;
|
|
||||||
+ chunk_size = tcp_data_len - tcp_send_offset;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
|
|
||||||
- // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
|
|
||||||
+ DPRINTF("+++ C+ mode TSO TCP seqno %08x\n",
|
|
||||||
+ be32_to_cpu(p_tcp_hdr->th_seq));
|
|
||||||
|
|
||||||
/* add 4 TCP pseudoheader fields */
|
|
||||||
/* copy IP source and destination fields */
|
|
||||||
memcpy(data_to_checksum, saved_ip_header + 12, 8);
|
|
||||||
|
|
||||||
- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
|
|
||||||
+ DPRINTF("+++ C+ mode TSO calculating TCP checksum for "
|
|
||||||
+ "packet with %d bytes data\n", tcp_hlen +
|
|
||||||
+ chunk_size);
|
|
||||||
+
|
|
||||||
+ if (tcp_send_offset)
|
|
||||||
{
|
|
||||||
- DPRINTF("+++ C+ mode calculating TCP checksum for "
|
|
||||||
- "packet with %d bytes data\n", ip_data_len);
|
|
||||||
+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
|
|
||||||
- p_tcpip_hdr->zeros = 0;
|
|
||||||
- p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
|
|
||||||
- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
|
|
||||||
+ /* keep PUSH and FIN flags only for the last frame */
|
|
||||||
+ if (!is_last_frame)
|
|
||||||
+ {
|
|
||||||
+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
|
|
||||||
+ /* recalculate TCP checksum */
|
|
||||||
+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
|
|
||||||
+ p_tcpip_hdr->zeros = 0;
|
|
||||||
+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
|
|
||||||
+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
|
|
||||||
|
|
||||||
- p_tcp_hdr->th_sum = 0;
|
|
||||||
+ p_tcp_hdr->th_sum = 0;
|
|
||||||
|
|
||||||
- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
|
|
||||||
- DPRINTF("+++ C+ mode TCP checksum %04x\n",
|
|
||||||
- tcp_checksum);
|
|
||||||
+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
|
|
||||||
+ DPRINTF("+++ C+ mode TSO TCP checksum %04x\n",
|
|
||||||
+ tcp_checksum);
|
|
||||||
|
|
||||||
- p_tcp_hdr->th_sum = tcp_checksum;
|
|
||||||
- }
|
|
||||||
- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
|
|
||||||
- {
|
|
||||||
- DPRINTF("+++ C+ mode calculating UDP checksum for "
|
|
||||||
- "packet with %d bytes data\n", ip_data_len);
|
|
||||||
+ p_tcp_hdr->th_sum = tcp_checksum;
|
|
||||||
|
|
||||||
- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
|
|
||||||
- p_udpip_hdr->zeros = 0;
|
|
||||||
- p_udpip_hdr->ip_proto = IP_PROTO_UDP;
|
|
||||||
- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
|
|
||||||
+ /* restore IP header */
|
|
||||||
+ memcpy(eth_payload_data, saved_ip_header, hlen);
|
|
||||||
|
|
||||||
- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
|
|
||||||
+ /* set IP data length and recalculate IP checksum */
|
|
||||||
+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
|
|
||||||
|
|
||||||
- p_udp_hdr->uh_sum = 0;
|
|
||||||
+ /* increment IP id for subsequent frames */
|
|
||||||
+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
|
|
||||||
|
|
||||||
- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
|
|
||||||
- DPRINTF("+++ C+ mode UDP checksum %04x\n",
|
|
||||||
- udp_checksum);
|
|
||||||
+ ip->ip_sum = 0;
|
|
||||||
+ ip->ip_sum = ip_checksum(eth_payload_data, hlen);
|
|
||||||
+ DPRINTF("+++ C+ mode TSO IP header len=%d "
|
|
||||||
+ "checksum=%04x\n", hlen, ip->ip_sum);
|
|
||||||
|
|
||||||
- p_udp_hdr->uh_sum = udp_checksum;
|
|
||||||
- }
|
|
||||||
+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
|
|
||||||
+ DPRINTF("+++ C+ mode TSO transferring packet size "
|
|
||||||
+ "%d\n", tso_send_size);
|
|
||||||
+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size,
|
|
||||||
+ 0, (uint8_t *) dot1q_buffer);
|
|
||||||
|
|
||||||
- /* restore IP header */
|
|
||||||
- memcpy(eth_payload_data, saved_ip_header, hlen);
|
|
||||||
+ /* add transferred count to TCP sequence number */
|
|
||||||
+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq));
|
|
||||||
+ ++send_count;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* Stop sending this frame */
|
|
||||||
+ saved_size = 0;
|
|
||||||
+ }
|
|
||||||
+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
|
|
||||||
+ {
|
|
||||||
+ DPRINTF("+++ C+ mode need TCP or UDP checksum\n");
|
|
||||||
+
|
|
||||||
+ /* maximum IP header length is 60 bytes */
|
|
||||||
+ uint8_t saved_ip_header[60];
|
|
||||||
+ memcpy(saved_ip_header, eth_payload_data, hlen);
|
|
||||||
+
|
|
||||||
+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
|
|
||||||
+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
|
|
||||||
+
|
|
||||||
+ /* add 4 TCP pseudoheader fields */
|
|
||||||
+ /* copy IP source and destination fields */
|
|
||||||
+ memcpy(data_to_checksum, saved_ip_header + 12, 8);
|
|
||||||
+
|
|
||||||
+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
|
|
||||||
+ {
|
|
||||||
+ DPRINTF("+++ C+ mode calculating TCP checksum for "
|
|
||||||
+ "packet with %d bytes data\n", ip_data_len);
|
|
||||||
+
|
|
||||||
+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
|
|
||||||
+ p_tcpip_hdr->zeros = 0;
|
|
||||||
+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
|
|
||||||
+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
|
|
||||||
+
|
|
||||||
+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
|
|
||||||
+
|
|
||||||
+ p_tcp_hdr->th_sum = 0;
|
|
||||||
+
|
|
||||||
+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
|
|
||||||
+ DPRINTF("+++ C+ mode TCP checksum %04x\n",
|
|
||||||
+ tcp_checksum);
|
|
||||||
+
|
|
||||||
+ p_tcp_hdr->th_sum = tcp_checksum;
|
|
||||||
+ }
|
|
||||||
+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
|
|
||||||
+ {
|
|
||||||
+ DPRINTF("+++ C+ mode calculating UDP checksum for "
|
|
||||||
+ "packet with %d bytes data\n", ip_data_len);
|
|
||||||
+
|
|
||||||
+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
|
|
||||||
+ p_udpip_hdr->zeros = 0;
|
|
||||||
+ p_udpip_hdr->ip_proto = IP_PROTO_UDP;
|
|
||||||
+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
|
|
||||||
+
|
|
||||||
+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
|
|
||||||
+
|
|
||||||
+ p_udp_hdr->uh_sum = 0;
|
|
||||||
+
|
|
||||||
+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
|
|
||||||
+ DPRINTF("+++ C+ mode UDP checksum %04x\n",
|
|
||||||
+ udp_checksum);
|
|
||||||
+
|
|
||||||
+ p_udp_hdr->uh_sum = udp_checksum;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* restore IP header */
|
|
||||||
+ memcpy(eth_payload_data, saved_ip_header, hlen);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
Date: Wed, 15 Jul 2015 14:30:37 +0100
|
|
||||||
Subject: [PATCH] rtl8139: skip offload on short Ethernet/IP header
|
|
||||||
(CVE-2015-5165)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Transmit offload features access Ethernet and IP headers the packet. If
|
|
||||||
the packet is too short we must not attempt to access header fields:
|
|
||||||
|
|
||||||
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
|
|
||||||
...
|
|
||||||
eth_payload_data = saved_buffer + ETH_HLEN;
|
|
||||||
...
|
|
||||||
ip = (ip_header*)eth_payload_data;
|
|
||||||
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
|
|
||||||
|
|
||||||
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
|
|
||||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
(cherry picked from commit e1c120a9c54872f8a538ff9129d928de4e865cbd)
|
|
||||||
---
|
|
||||||
hw/net/rtl8139.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
||||||
index c044dee..4e22162 100644
|
|
||||||
--- a/hw/net/rtl8139.c
|
|
||||||
+++ b/hw/net/rtl8139.c
|
|
||||||
@@ -2150,6 +2150,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
{
|
|
||||||
DPRINTF("+++ C+ mode offloaded task checksum\n");
|
|
||||||
|
|
||||||
+ /* Large enough for Ethernet and IP headers? */
|
|
||||||
+ if (saved_size < ETH_HLEN + sizeof(ip_header)) {
|
|
||||||
+ goto skip_offload;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* ip packet header */
|
|
||||||
ip_header *ip = NULL;
|
|
||||||
int hlen = 0;
|
|
@ -1,55 +0,0 @@
|
|||||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
Date: Wed, 15 Jul 2015 17:32:32 +0100
|
|
||||||
Subject: [PATCH] rtl8139: check IP Header Length field (CVE-2015-5165)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The IP Header Length field was only checked in the IP checksum case, but
|
|
||||||
is used in other cases too.
|
|
||||||
|
|
||||||
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
|
|
||||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
(cherry picked from commit 03247d43c577dfea8181cd40177ad5ba77c8db76)
|
|
||||||
---
|
|
||||||
hw/net/rtl8139.c | 19 ++++++++-----------
|
|
||||||
1 file changed, 8 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
||||||
index 4e22162..2d97866 100644
|
|
||||||
--- a/hw/net/rtl8139.c
|
|
||||||
+++ b/hw/net/rtl8139.c
|
|
||||||
@@ -2186,6 +2186,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
}
|
|
||||||
|
|
||||||
hlen = IP_HEADER_LENGTH(ip);
|
|
||||||
+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) {
|
|
||||||
+ goto skip_offload;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ip_protocol = ip->ip_p;
|
|
||||||
ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
|
|
||||||
|
|
||||||
@@ -2193,17 +2197,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
{
|
|
||||||
DPRINTF("+++ C+ mode need IP checksum\n");
|
|
||||||
|
|
||||||
- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
|
|
||||||
- /* bad packet header len */
|
|
||||||
- /* or packet too short */
|
|
||||||
- }
|
|
||||||
- else
|
|
||||||
- {
|
|
||||||
- ip->ip_sum = 0;
|
|
||||||
- ip->ip_sum = ip_checksum(ip, hlen);
|
|
||||||
- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
|
|
||||||
- hlen, ip->ip_sum);
|
|
||||||
- }
|
|
||||||
+ ip->ip_sum = 0;
|
|
||||||
+ ip->ip_sum = ip_checksum(ip, hlen);
|
|
||||||
+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
|
|
||||||
+ hlen, ip->ip_sum);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
|
|
@ -1,36 +0,0 @@
|
|||||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
Date: Wed, 15 Jul 2015 17:34:40 +0100
|
|
||||||
Subject: [PATCH] rtl8139: check IP Total Length field (CVE-2015-5165)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The IP Total Length field includes the IP header and data. Make sure it
|
|
||||||
is valid and does not exceed the Ethernet payload size.
|
|
||||||
|
|
||||||
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
|
|
||||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
(cherry picked from commit c6296ea88df040054ccd781f3945fe103f8c7c17)
|
|
||||||
---
|
|
||||||
hw/net/rtl8139.c | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
||||||
index 2d97866..c88bf9b 100644
|
|
||||||
--- a/hw/net/rtl8139.c
|
|
||||||
+++ b/hw/net/rtl8139.c
|
|
||||||
@@ -2191,7 +2191,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
}
|
|
||||||
|
|
||||||
ip_protocol = ip->ip_p;
|
|
||||||
- ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
|
|
||||||
+
|
|
||||||
+ ip_data_len = be16_to_cpu(ip->ip_len);
|
|
||||||
+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) {
|
|
||||||
+ goto skip_offload;
|
|
||||||
+ }
|
|
||||||
+ ip_data_len -= hlen;
|
|
||||||
|
|
||||||
if (txdw0 & CP_TX_IPCS)
|
|
||||||
{
|
|
@ -1,37 +0,0 @@
|
|||||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
Date: Wed, 15 Jul 2015 17:36:15 +0100
|
|
||||||
Subject: [PATCH] rtl8139: skip offload on short TCP header (CVE-2015-5165)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
TCP Large Segment Offload accesses the TCP header in the packet. If the
|
|
||||||
packet is too short we must not attempt to access header fields:
|
|
||||||
|
|
||||||
tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
|
|
||||||
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
|
|
||||||
|
|
||||||
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
|
|
||||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
(cherry picked from commit 4240be45632db7831129f124bcf53c1223825b0f)
|
|
||||||
---
|
|
||||||
hw/net/rtl8139.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
||||||
index c88bf9b..efde7b4 100644
|
|
||||||
--- a/hw/net/rtl8139.c
|
|
||||||
+++ b/hw/net/rtl8139.c
|
|
||||||
@@ -2210,6 +2210,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
|
|
||||||
if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
|
|
||||||
{
|
|
||||||
+ /* Large enough for the TCP header? */
|
|
||||||
+ if (ip_data_len < sizeof(tcp_header)) {
|
|
||||||
+ goto skip_offload;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
|
|
||||||
|
|
||||||
DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "
|
|
@ -1,34 +0,0 @@
|
|||||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
Date: Wed, 15 Jul 2015 17:39:29 +0100
|
|
||||||
Subject: [PATCH] rtl8139: check TCP Data Offset field (CVE-2015-5165)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The TCP Data Offset field contains the length of the header. Make sure
|
|
||||||
it is valid and does not exceed the IP data length.
|
|
||||||
|
|
||||||
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
|
|
||||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
||||||
(cherry picked from commit 8357946b15f0a31f73dd691b7da95f29318ed310)
|
|
||||||
---
|
|
||||||
hw/net/rtl8139.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
||||||
index efde7b4..d25e8c9 100644
|
|
||||||
--- a/hw/net/rtl8139.c
|
|
||||||
+++ b/hw/net/rtl8139.c
|
|
||||||
@@ -2239,6 +2239,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
||||||
|
|
||||||
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
|
|
||||||
|
|
||||||
+ /* Invalid TCP data offset? */
|
|
||||||
+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) {
|
|
||||||
+ goto skip_offload;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* ETH_MTU = ip header len + tcp header len + payload */
|
|
||||||
int tcp_data_len = ip_data_len - tcp_hlen;
|
|
||||||
int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
|
|
42
qemu.spec
42
qemu.spec
@ -42,8 +42,8 @@
|
|||||||
|
|
||||||
Summary: QEMU is a FAST! processor emulator
|
Summary: QEMU is a FAST! processor emulator
|
||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 2.3.0
|
Version: 2.3.1
|
||||||
Release: 7%{?dist}
|
Release: 1%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: GPLv2+ and LGPLv2+ and BSD
|
License: GPLv2+ and LGPLv2+ and BSD
|
||||||
Group: Development/Tools
|
Group: Development/Tools
|
||||||
@ -71,44 +71,19 @@ Source12: bridge.conf
|
|||||||
# qemu-kvm back compat wrapper
|
# qemu-kvm back compat wrapper
|
||||||
Source13: qemu-kvm.sh
|
Source13: qemu-kvm.sh
|
||||||
|
|
||||||
# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
|
|
||||||
# (bz #1221152)
|
|
||||||
Patch0001: 0001-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
|
|
||||||
# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz
|
# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz
|
||||||
# #1222894)
|
# #1222894)
|
||||||
Patch0002: 0002-slirp-use-less-predictable-directory-name-in-tmp-for.patch
|
Patch0001: 0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch
|
||||||
# Fix: qemu-img: error while compressing sector <NNN>: Input/output
|
# Fix: qemu-img: error while compressing sector <NNN>: Input/output
|
||||||
# error (bz #1214855)
|
# error (bz #1214855)
|
||||||
Patch0003: 0003-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch
|
Patch0002: 0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch
|
||||||
# Fix crash in qemu_spice_create_display (bz #1163047)
|
|
||||||
Patch0004: 0004-spice-display-fix-segfault-in-qemu_spice_create_upda.patch
|
|
||||||
# Fix qemu-img map crash for unaligned image (bz #1229394)
|
# Fix qemu-img map crash for unaligned image (bz #1229394)
|
||||||
Patch0005: 0005-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
|
Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
|
||||||
# CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz
|
# CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz
|
||||||
# #1230536)
|
# #1230536)
|
||||||
Patch0006: 0006-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
|
Patch0004: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
|
||||||
# CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728)
|
|
||||||
Patch0007: 0007-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch
|
|
||||||
# CVE-2015-5158: scsi stack buffer overflow (bz #1246025)
|
|
||||||
Patch0008: 0008-scsi-fix-buffer-overflow-in-scsi_req_parse_cdb-CVE-2.patch
|
|
||||||
# CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory
|
|
||||||
# access (bz #1247141)
|
|
||||||
Patch0009: 0009-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch
|
|
||||||
Patch0010: 0010-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch
|
|
||||||
Patch0011: 0011-ide-Clear-DRQ-after-handling-all-expected-accesses.patch
|
|
||||||
# CVE-2015-5166: BlockBackend object use after free issue (bz #1249758)
|
|
||||||
Patch0012: 0012-Fix-release_drive-on-unplugged-devices-pci_piix3_xen.patch
|
|
||||||
# CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
|
# CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
|
||||||
Patch0013: 0013-virtio-serial-fix-ANY_LAYOUT.patch
|
Patch0005: 0005-virtio-serial-fix-ANY_LAYOUT.patch
|
||||||
# CVE-2015-5165: rtl8139 uninitialized heap memory information leakage
|
|
||||||
# to guest (bz #1249755)
|
|
||||||
Patch0014: 0014-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20.patch
|
|
||||||
Patch0015: 0015-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015-.patch
|
|
||||||
Patch0016: 0016-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE.patch
|
|
||||||
Patch0017: 0017-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.patch
|
|
||||||
Patch0018: 0018-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch
|
|
||||||
Patch0019: 0019-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch
|
|
||||||
Patch0020: 0020-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch
|
|
||||||
|
|
||||||
BuildRequires: SDL2-devel
|
BuildRequires: SDL2-devel
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
@ -1211,6 +1186,9 @@ getent passwd qemu >/dev/null || \
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 11 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-1
|
||||||
|
- Rebased to version 2.3.1
|
||||||
|
|
||||||
* Tue Aug 11 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.0-7
|
* Tue Aug 11 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.0-7
|
||||||
- Fix crash in qemu_spice_create_display (bz #1163047)
|
- Fix crash in qemu_spice_create_display (bz #1163047)
|
||||||
- Fix qemu-img map crash for unaligned image (bz #1229394)
|
- Fix qemu-img map crash for unaligned image (bz #1229394)
|
||||||
|
Loading…
Reference in New Issue
Block a user