169b9a
From b25ccac372f3289d7b0b5500064fe0a38eb32d6f Mon Sep 17 00:00:00 2001
169b9a
From: Xiao Wang <jasowang@redhat.com>
169b9a
Date: Wed, 8 Aug 2018 08:44:36 +0200
169b9a
Subject: [PATCH 4/4] slirp: Correct size check in m_inc()
169b9a
169b9a
RH-Author: Xiao Wang <jasowang@redhat.com>
169b9a
Message-id: <1533717876-2330-1-git-send-email-jasowang@redhat.com>
169b9a
Patchwork-id: 81676
169b9a
O-Subject: [RHEL-7.6/7.5z qemu-kvm PATCH] slirp: Correct size check in m_inc()
169b9a
Bugzilla: 1586253
169b9a
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
169b9a
RH-Acked-by: wexu@redhat.com
169b9a
RH-Acked-by: Thomas Huth <thuth@redhat.com>
169b9a
169b9a
From: Peter Maydell <peter.maydell@linaro.org>
169b9a
169b9a
Notes:
169b9a
- Conflict since we lacks 6da5de1ee87e ("slirp: reformat m_inc
169b9a
  routine"), and its backport has various other dependicies.
169b9a
- This is a fixup for CVE-2018-11806 fix
169b9a
169b9a
The data in an mbuf buffer is not necessarily at the start of the
169b9a
allocated buffer. (For instance m_adj() allows data to be trimmed
169b9a
from the start by just advancing the pointer and reducing the length.)
169b9a
This means that the allocated buffer size (m->m_size) and the
169b9a
amount of space from the m_data pointer to the end of the
169b9a
buffer (M_ROOM(m)) are not necessarily the same.
169b9a
169b9a
Commit 864036e251f54c9 tried to change the m_inc() function from
169b9a
taking the new allocated-buffer-size to taking the new room-size,
169b9a
but forgot to change the initial "do we already have enough space"
169b9a
check. This meant that if we were trying to extend a buffer which
169b9a
had a leading gap between the buffer start and the data, we might
169b9a
incorrectly decide it didn't need to be extended, and then
169b9a
overrun the end of the buffer, causing memory corruption and
169b9a
an eventual crash.
169b9a
169b9a
Change the "already big enough?" condition from checking the
169b9a
argument against m->m_size to checking against M_ROOM().
169b9a
This only makes a difference for the callsite in m_cat();
169b9a
the other three callsites all start with a freshly allocated
169b9a
mbuf from m_get(), which will have m->m_size == M_ROOM(m).
169b9a
169b9a
Fixes: 864036e251f54c9
169b9a
Fixes: https://bugs.launchpad.net/qemu/+bug/1785670
169b9a
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
169b9a
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
169b9a
Message-id: 20180807114501.12370-1-peter.maydell@linaro.org
169b9a
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
169b9a
(cherry picked from commit c22098c74a09164797fae6511c5eaf68f32c4dd8)
169b9a
Signed-off-by: Jason Wang <jasowang@redhat.com>
169b9a
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
169b9a
---
169b9a
 slirp/mbuf.c | 6 ++++--
169b9a
 1 file changed, 4 insertions(+), 2 deletions(-)
169b9a
169b9a
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
169b9a
index ced2033..63f071f 100644
169b9a
--- a/slirp/mbuf.c
169b9a
+++ b/slirp/mbuf.c
169b9a
@@ -154,8 +154,10 @@ m_inc(struct mbuf *m, int size)
169b9a
 {
169b9a
 	int datasize;
169b9a
 
169b9a
-	/* some compiles throw up on gotos.  This one we can fake. */
169b9a
-        if(m->m_size>size) return;
169b9a
+    /* some compilers throw up on gotos.  This one we can fake. */
169b9a
+    if (M_ROOM(m) > size) {
169b9a
+        return;
169b9a
+    }
169b9a
 
169b9a
         if (m->m_flags & M_EXT) {
169b9a
 	  datasize = m->m_data - m->m_ext;
169b9a
-- 
169b9a
1.8.3.1
169b9a