poky/meta/recipes-devtools/qemu/qemu/0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch - openbmc/openbmc - Gitiles

 Upstream-Status: Backport

 https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html

 From dc21a9d2951f0a2a7e63633e2b5c68c54e4edc4b Mon Sep 17 00:00:00 2001
 From: Jeremy Puhlman <jpuhlman@mvista.com>
 Date: Thu, 14 Jun 2018 01:28:49 +0000
 Subject: [PATCH] CVE-2018-11806 QEMU: slirp: heap buffer overflow

 Subject: [Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf
 Date:	Tue, 5 Jun 2018 23:38:35 +0530
 From: Prasad J Pandit <address@hidden>

 While reassembling incoming fragmented datagrams, 'm_cat' routine
 extends the 'mbuf' buffer, if it has insufficient room. It computes
 a wrong buffer size, which leads to overwriting adjacent heap buffer
 area. Correct this size computation in m_cat.

 Reported-by: ZDI Disclosures <address@hidden>
 Signed-off-by: Prasad J Pandit <address@hidden>
 ---
  slirp/mbuf.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
 ---
  slirp/mbuf.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 diff --git a/slirp/mbuf.c b/slirp/mbuf.c
 index 5ff2455..7fb4501 100644
 --- a/slirp/mbuf.c
 +++ b/slirp/mbuf.c
 @@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
  	 * If there's no room, realloc
  	 */
  	if (M_FREEROOM(m) < n->m_len)
 -		m_inc(m,m->m_size+MINCSIZE);
 +               m_inc(m, m->m_len + n->m_len);

  	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
  	m->m_len += n->m_len;
 @@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)

          if (m->m_flags & M_EXT) {
  	  datasize = m->m_data - m->m_ext;
 -          m->m_ext = g_realloc(m->m_ext, size);
 +          m->m_ext = g_realloc(m->m_ext, size + datasize);
  	  m->m_data = m->m_ext + datasize;
          } else {
  	  char *dat;
  	  datasize = m->m_data - m->m_dat;
 -          dat = g_malloc(size);
 +          dat = g_malloc(size + datasize);
  	  memcpy(dat, m->m_dat, m->m_size);

  	  m->m_ext = dat;
 @@ -171,7 +171,7 @@ m_inc(struct mbuf *m, int size)
  	  m->m_flags |= M_EXT;
          }

 -        m->m_size = size;
 +        m->m_size = size + datasize;

  }

 --
 2.13.3
	Upstream-Status: Backport

	https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html

	From dc21a9d2951f0a2a7e63633e2b5c68c54e4edc4b Mon Sep 17 00:00:00 2001
	From: Jeremy Puhlman <jpuhlman@mvista.com>
	Date: Thu, 14 Jun 2018 01:28:49 +0000
	Subject: [PATCH] CVE-2018-11806 QEMU: slirp: heap buffer overflow

	Subject: [Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf
	Date: Tue, 5 Jun 2018 23:38:35 +0530
	From: Prasad J Pandit <address@hidden>

	While reassembling incoming fragmented datagrams, 'm_cat' routine
	extends the 'mbuf' buffer, if it has insufficient room. It computes
	a wrong buffer size, which leads to overwriting adjacent heap buffer
	area. Correct this size computation in m_cat.

	Reported-by: ZDI Disclosures <address@hidden>
	Signed-off-by: Prasad J Pandit <address@hidden>
	---
	slirp/mbuf.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
	---
	slirp/mbuf.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	diff --git a/slirp/mbuf.c b/slirp/mbuf.c
	index 5ff2455..7fb4501 100644
	--- a/slirp/mbuf.c
	+++ b/slirp/mbuf.c
	@@ -138,7 +138,7 @@ m_cat(struct mbuf m, struct mbuf n)
	* If there's no room, realloc
	*/
	if (M_FREEROOM(m) < n->m_len)
	- m_inc(m,m->m_size+MINCSIZE);
	+ m_inc(m, m->m_len + n->m_len);

	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
	m->m_len += n->m_len;
	@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)

	if (m->m_flags & M_EXT) {
	datasize = m->m_data - m->m_ext;
	- m->m_ext = g_realloc(m->m_ext, size);
	+ m->m_ext = g_realloc(m->m_ext, size + datasize);
	m->m_data = m->m_ext + datasize;
	} else {
	char *dat;
	datasize = m->m_data - m->m_dat;
	- dat = g_malloc(size);
	+ dat = g_malloc(size + datasize);
	memcpy(dat, m->m_dat, m->m_size);

	m->m_ext = dat;
	@@ -171,7 +171,7 @@ m_inc(struct mbuf *m, int size)
	m->m_flags \|= M_EXT;
	}

	- m->m_size = size;
	+ m->m_size = size + datasize;

	}

	--
	2.13.3