rpms / qemu-kvm

Clone
Source Code
GIT

Blame SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-stream-rhel c9 c9-beta
  1.   69f3e1173f76a1d1de231514f5fa90830225c552
  2.   SOURCES
  3.   kvm-slirp-check-sscanf-result-when-emulating-ident.patch
Blob History Raw
69f3e1 
From dff4ed62fe8723574ac36029574364ddf85b7fe6 Mon Sep 17 00:00:00 2001
69f3e1 
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
69f3e1 
Date: Mon, 8 Jul 2019 15:50:28 +0100
69f3e1 
Subject: [PATCH 1/7] slirp: check sscanf result when emulating ident
69f3e1 
MIME-Version: 1.0
69f3e1 
Content-Type: text/plain; charset=UTF-8
69f3e1 
Content-Transfer-Encoding: 8bit
69f3e1
69f3e1 
RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
69f3e1 
Message-id: <20190708155031.7778-2-philmd@redhat.com>
69f3e1 
Patchwork-id: 89431
69f3e1 
O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 1/4] slirp: check sscanf result when emulating ident
69f3e1 
Bugzilla: 1732324
69f3e1 
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
69f3e1 
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
69f3e1 
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
69f3e1
69f3e1 
From: William Bowling <will@wbowling.info>
69f3e1
69f3e1 
When emulating ident in tcp_emu, if the strchr checks passed but the
69f3e1 
sscanf check failed, two uninitialized variables would be copied and
69f3e1 
sent in the reply, so move this code inside the if(sscanf()) clause.
69f3e1
69f3e1 
Signed-off-by: William Bowling <will@wbowling.info>
69f3e1 
Cc: qemu-stable@nongnu.org
69f3e1 
Cc: secalert@redhat.com
69f3e1 
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
69f3e1 
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
69f3e1 
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
69f3e1 
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
69f3e1 
Fixes: CVE-2019-9824
69f3e1 
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
69f3e1 
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
69f3e1 
---
69f3e1 
 slirp/tcp_subr.c | 10 +++++-----
69f3e1 
 1 file changed, 5 insertions(+), 5 deletions(-)
69f3e1
69f3e1 
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
69f3e1 
index 1c7eb28..af1b3eb 100644
69f3e1 
--- a/slirp/tcp_subr.c
69f3e1 
+++ b/slirp/tcp_subr.c
69f3e1 
@@ -665,12 +665,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
69f3e1 
 							break;
69f3e1 
 						}
69f3e1 
 					}
69f3e1 
+					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
69f3e1 
+								 so_rcv->sb_datalen,
69f3e1 
+								 "%d,%d\r\n", n1, n2);
69f3e1 
+					so_rcv->sb_rptr = so_rcv->sb_data;
69f3e1 
+					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
69f3e1 
 				}
69f3e1 
-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
69f3e1 
-                                                         so_rcv->sb_datalen,
69f3e1 
-                                                         "%d,%d\r\n", n1, n2);
69f3e1 
-				so_rcv->sb_rptr = so_rcv->sb_data;
69f3e1 
-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
69f3e1 
 			}
69f3e1 
 			m_free(m);
69f3e1 
 			return 0;
69f3e1 
--
69f3e1 
1.8.3.1
69f3e1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation