diff --git a/gnu/local.mk b/gnu/local.mk index 6ce446d91a..bf79b8f3c4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1073,6 +1073,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ + %D%/packages/patches/qemu-CVE-2018-11806.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2018-11806.patch b/gnu/packages/patches/qemu-CVE-2018-11806.patch new file mode 100644 index 0000000000..f021dfa747 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2018-11806.patch @@ -0,0 +1,105 @@ +Fix CVE-2018-11806: + +https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c + +From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 5 Jun 2018 23:38:35 +0530 +Subject: [PATCH] slirp: correct size computation while concatenating mbuf + +While reassembling incoming fragmented datagrams, 'm_cat' routine +extends the 'mbuf' buffer, if it has insufficient room. It computes +a wrong buffer size, which leads to overwriting adjacent heap buffer +area. Correct this size computation in m_cat. + +Reported-by: ZDI Disclosures +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +--- + slirp/mbuf.c | 11 +++++------ + slirp/mbuf.h | 8 +++----- + 2 files changed, 8 insertions(+), 11 deletions(-) + +diff --git a/slirp/mbuf.c b/slirp/mbuf.c +index 5ff24559fd..18cbf759a7 100644 +--- a/slirp/mbuf.c ++++ b/slirp/mbuf.c +@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + * If there's no room, realloc + */ + if (M_FREEROOM(m) < n->m_len) +- m_inc(m,m->m_size+MINCSIZE); ++ m_inc(m, m->m_len + n->m_len); + + memcpy(m->m_data+m->m_len, n->m_data, n->m_len); + m->m_len += n->m_len; +@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + } + + +-/* make m size bytes large */ ++/* make m 'size' bytes large from m_data */ + void + m_inc(struct mbuf *m, int size) + { +@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size) + + if (m->m_flags & M_EXT) { + datasize = m->m_data - m->m_ext; +- m->m_ext = g_realloc(m->m_ext, size); ++ m->m_ext = g_realloc(m->m_ext, size + datasize); + m->m_data = m->m_ext + datasize; + } else { + char *dat; + datasize = m->m_data - m->m_dat; +- dat = g_malloc(size); ++ dat = g_malloc(size + datasize); + memcpy(dat, m->m_dat, m->m_size); + + m->m_ext = dat; +@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size) + m->m_flags |= M_EXT; + } + +- m->m_size = size; +- ++ m->m_size = size + datasize; + } + + +diff --git a/slirp/mbuf.h b/slirp/mbuf.h +index 893601ff9d..33b84485d6 100644 +--- a/slirp/mbuf.h ++++ b/slirp/mbuf.h +@@ -33,8 +33,6 @@ + #ifndef MBUF_H + #define MBUF_H + +-#define MINCSIZE 4096 /* Amount to increase mbuf if too small */ +- + /* + * Macros for type conversion + * mtod(m,t) - convert mbuf pointer to data pointer of correct type +@@ -72,11 +70,11 @@ struct mbuf { + struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ + int m_flags; /* Misc flags */ + +- int m_size; /* Size of data */ ++ int m_size; /* Size of mbuf, from m_dat or m_ext */ + struct socket *m_so; + +- caddr_t m_data; /* Location of data */ +- int m_len; /* Amount of data in this mbuf */ ++ caddr_t m_data; /* Current location of data */ ++ int m_len; /* Amount of data in this mbuf, from m_data */ + + Slirp *slirp; + bool resolution_requested; +-- +2.17.1 + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 61f0245289..b82dcb4c80 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -98,6 +98,7 @@ (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) + (patches (search-patches "qemu-CVE-2018-11806.patch")) (sha256 (base32 "1z66spkm1prvhbq7h5mfnp0i6mmamsb938fqmdfvyrgzc7rh34z6"))))