[gentoo-commits] gentoo-x86 commit in app-emulation/qemu/files: qemu-2.3.0-CVE-2015-5158.patch - gentoo-commits

From:	"Doug Goldstein (cardoe)" <cardoe@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-emulation/qemu/files: qemu-2.3.0-CVE-2015-5158.patch
Date:	Sat, 25 Jul 2015 19:53:57
Message-Id:	`20150725195347.A8B78ED@oystercatcher.gentoo.org`

1

cardoe      15/07/25 19:53:47

2

3

  Added:                qemu-2.3.0-CVE-2015-5158.patch

4

  Log:

5

  Add fix from upstream for CVE-2015-5158 #555680 by Agostino Sarubbo.

6

7

  (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key A2BC03DC87ED1BD4!)

8

9

Revision  Changes    Path

10

1.1                  app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch?rev=1.1&content-type=text/plain

14

15

Index: qemu-2.3.0-CVE-2015-5158.patch

16

===================================================================

17

commit c170aad8b057223b1139d72e5ce7acceafab4fa9

18

Author: Paolo Bonzini <pbonzini@××××××.com>

19

Date:   Tue Jul 21 08:59:39 2015 +0200

20

21

    scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

22

23

    This is a guest-triggerable buffer overflow present in QEMU 2.2.0

24

    and newer.  scsi_cdb_length returns -1 as an error value, but the

25

    caller does not check it.

26

27

    Luckily, the massive overflow means that QEMU will just SIGSEGV,

28

    making the impact much smaller.

29

30

    Reported-by: Zhu Donghai (朱东海) <donghai.zdh@×××××××××××.com>

31

    Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173

32

    Reviewed-by: Fam Zheng <famz@××××××.com>

33

    Cc: qemu-stable@××××××.org

34

    Signed-off-by: Paolo Bonzini <pbonzini@××××××.com>

35

36

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c

37

index f50b2f0..f0ae462 100644

38

--- a/hw/scsi/scsi-bus.c

39

+++ b/hw/scsi/scsi-bus.c

40

@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {

41

 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)

42

{

43

     int rc;

44

+    int len;

45

46

     cmd->lba = -1;

47

-    cmd->len = scsi_cdb_length(buf);

48

+    len = scsi_cdb_length(buf);

49

+    if (len < 0) {

50

+        return -1;

51

+    }

52

53

+    cmd->len = len;

54

     switch (dev->type) {

55

     case TYPE_TAPE:

56

         rc = scsi_req_stream_xfer(cmd, dev, buf);

1	cardoe 15/07/25 19:53:47
2
3	Added: qemu-2.3.0-CVE-2015-5158.patch
4	Log:
5	Add fix from upstream for CVE-2015-5158 #555680 by Agostino Sarubbo.
6
7	(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key A2BC03DC87ED1BD4!)
8
9	Revision Changes Path
10	1.1 app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch?rev=1.1&content-type=text/plain
14
15	Index: qemu-2.3.0-CVE-2015-5158.patch
16	===================================================================
17	commit c170aad8b057223b1139d72e5ce7acceafab4fa9
18	Author: Paolo Bonzini <pbonzini@××××××.com>
19	Date: Tue Jul 21 08:59:39 2015 +0200
20
21	scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
22
23	This is a guest-triggerable buffer overflow present in QEMU 2.2.0
24	and newer. scsi_cdb_length returns -1 as an error value, but the
25	caller does not check it.
26
27	Luckily, the massive overflow means that QEMU will just SIGSEGV,
28	making the impact much smaller.
29
30	Reported-by: Zhu Donghai (朱东海) <donghai.zdh@×××××××××××.com>
31	Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
32	Reviewed-by: Fam Zheng <famz@××××××.com>
33	Cc: qemu-stable@××××××.org
34	Signed-off-by: Paolo Bonzini <pbonzini@××××××.com>
35
36	diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
37	index f50b2f0..f0ae462 100644
38	--- a/hw/scsi/scsi-bus.c
39	+++ b/hw/scsi/scsi-bus.c
40	@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
41	int scsi_req_parse_cdb(SCSIDevice dev, SCSICommand cmd, uint8_t *buf)
42	{
43	int rc;
44	+ int len;
45
46	cmd->lba = -1;
47	- cmd->len = scsi_cdb_length(buf);
48	+ len = scsi_cdb_length(buf);
49	+ if (len < 0) {
50	+ return -1;
51	+ }
52
53	+ cmd->len = len;
54	switch (dev->type) {
55	case TYPE_TAPE:
56	rc = scsi_req_stream_xfer(cmd, dev, buf);

Gentoo Archives: gentoo-commits