parent
d9094d4c0b
commit
87dd0b268a
@ -0,0 +1,43 @@
|
||||
From bd9cd78c23e18fb0cb4eee4de5f8a761ebb82698 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Thu, 18 Sep 2014 08:35:37 +0200
|
||||
Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
|
||||
uninitialized socket
|
||||
|
||||
When guest sends udp packet with source port and source addr 0,
|
||||
uninitialized socket is picked up when looking for matching and already
|
||||
created udp sockets, and later passed to sosendto() where NULL pointer
|
||||
dereference is hit during so->slirp->vnetwork_mask.s_addr access.
|
||||
|
||||
Fix this by checking that the socket is not just a socket stub.
|
||||
|
||||
This is CVE-2014-3640.
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
|
||||
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
|
||||
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
|
||||
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
||||
(cherry picked from commit 9a72433843d912a45046959b1953861211d1838d)
|
||||
---
|
||||
slirp/udp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/slirp/udp.c b/slirp/udp.c
|
||||
index b105f87..2188176 100644
|
||||
--- a/slirp/udp.c
|
||||
+++ b/slirp/udp.c
|
||||
@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
|
||||
* Locate pcb for datagram.
|
||||
*/
|
||||
so = slirp->udp_last_so;
|
||||
- if (so->so_lport != uh->uh_sport ||
|
||||
+ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
|
||||
so->so_laddr.s_addr != ip->ip_src.s_addr) {
|
||||
struct socket *tmp;
|
||||
|
@ -139,7 +139,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 1.6.2
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
@ -357,6 +357,8 @@ Patch0408: 0408-Allow-mismatched-virtio-config-len.patch
|
||||
Patch0409: 0409-vbe-make-bochs-dispi-interface-return-the-correct-me.patch
|
||||
Patch0410: 0410-vbe-rework-sanity-checks.patch
|
||||
Patch0411: 0411-spice-make-sure-we-don-t-overflow-ssd-buf.patch
|
||||
# CVE-2014-3640 qemu: slirp: NULL pointer (bz #1144821, bz #1144818)
|
||||
Patch0412: 0412-slirp-udp-fix-NULL-pointer-dereference-because-of-un.patch
|
||||
|
||||
BuildRequires: SDL-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -1046,6 +1048,8 @@ CAC emulation development files.
|
||||
%patch0409 -p1
|
||||
%patch0410 -p1
|
||||
%patch0411 -p1
|
||||
# CVE-2014-3640 qemu: slirp: NULL pointer (bz #1144821, bz #1144818)
|
||||
%patch0412 -p1
|
||||
|
||||
|
||||
%build
|
||||
@ -1753,6 +1757,9 @@ getent passwd qemu >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Sep 26 2014 Cole Robinson <crobinso@redhat.com> - 2:1.6.2-9
|
||||
- CVE-2014-3640 qemu: slirp: NULL pointer (bz #1144821, bz #1144818)
|
||||
|
||||
* Mon Sep 08 2014 Cole Robinson <crobinso@redhat.com> - 2:1.6.2-8
|
||||
- Fix spice audio playback sample rate (bz #1129961)
|
||||
- Fix virtio-blk migration incompatibility caused by CVE backport (bz
|
||||
|
Loading…
Reference in New Issue
Block a user