From fa868f9d2fcefaa33b25974bce8cbfdae4fbdaf8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 26 2019 10:41:24 +0000 Subject: import qemu-kvm-ma-2.12.0-33.el7_7.1 --- diff --git a/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch b/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch new file mode 100644 index 0000000..ddc256f --- /dev/null +++ b/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch @@ -0,0 +1,56 @@ +From 1cde1aa618f1ef1f847f192c86cef52446d6546d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 1 Aug 2019 16:43:56 +0200 +Subject: [PATCH] Fix heap overflow in ip_reass on big packet input +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20190801164356.14992-2-philmd@redhat.com> +Patchwork-id: 89857 +O-Subject: [RHEL-7.7 qemu-kvm-ma PATCH 1/1] Fix heap overflow in ip_reass on big packet input +Bugzilla: 1735652 +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Samuel Thibault + +When the first fragment does not fit in the preallocated buffer, q will +already be pointing to the ext buffer, so we mustn't try to update it. + +Signed-off-by: Samuel Thibault +(cherry picked from libslirp commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210) +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Miroslav Rezanina +--- + slirp/ip_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/slirp/ip_input.c b/slirp/ip_input.c +index 348e1dc..07d8808 100644 +--- a/slirp/ip_input.c ++++ b/slirp/ip_input.c +@@ -334,6 +334,8 @@ insert: + q = fp->frag_link.next; + m = dtom(slirp, q); + ++ int was_ext = m->m_flags & M_EXT; ++ + q = (struct ipasfrag *) q->ipf_next; + while (q != (struct ipasfrag*)&fp->frag_link) { + struct mbuf *t = dtom(slirp, q); +@@ -356,7 +358,7 @@ insert: + * the old buffer (in the mbuf), so we must point ip + * into the new buffer. + */ +- if (m->m_flags & M_EXT) { ++ if (!was_ext && m->m_flags & M_EXT) { + int delta = (char *)q - m->m_dat; + q = (struct ipasfrag *)(m->m_ext + delta); + } +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index e372a7f..50f62ae 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -108,7 +108,7 @@ Obsoletes: %1%{rhel_ma_suffix} < %{obsoletes_version2} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 2.12.0 -Release: 33%{?dist} +Release: 33%{?dist}.1 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2 and GPLv2+ and CC-BY @@ -1854,6 +1854,8 @@ Patch848: kvm-blockdev-fix-missed-target-unref-for-drive-backup.patch Patch849: kvm-vl-Fix-drive-blockdev-persistent-reservation-managem.patch # For bz#1608226 - [virtual-network][mq] prompt warning "qemu-kvm: unable to start vhost net: 14: falling back on userspace virtio" when boot with win8+ guests with multi-queue Patch850: kvm-vhost_net-don-t-set-backend-for-the-uninitialized-vi.patch +# For bz#1735652 - CVE-2019-14378 qemu-kvm-ma: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-7.7.z] +Patch851: kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -2921,6 +2923,7 @@ ApplyOptionalPatch() %patch848 -p1 %patch849 -p1 %patch850 -p1 +%patch851 -p1 # Fix executable permission for iotests chmod 755 $(ls tests/qemu-iotests/???) @@ -3455,6 +3458,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Mon Aug 12 2019 Miroslav Rezanina - 2.12.0-33.el7_7.1 +- kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch [bz#1735652] +- Resolves: bz#1735652 + (CVE-2019-14378 qemu-kvm-ma: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-7.7.z]) + * Thu Jun 20 2019 Miroslav Rezanina - 2.12.0-33.el7 - kvm-vhost_net-don-t-set-backend-for-the-uninitialized-vi.patch [bz#1608226] - Resolves: bz#1608226