[pve-devel] [PATCH kvm] added fixes for CVE-2015-7504 and CVE-2015-7512

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Nov 30 13:18:47 CET 2015


Affected components: pcnet (so not exposed via our GUI)

The patches were tagged for 2.5 but the code they're
modifying is still the same as it was in 2.4. They apply
and work.
---
 ...dd-check-to-validate-receive-data-size-CV.patch | 48 ++++++++++++++++++++++
 ...cnet-fix-rx-buffer-overflow-CVE-2015-7512.patch | 36 ++++++++++++++++
 debian/patches/series                              |  2 +
 3 files changed, 86 insertions(+)
 create mode 100644 debian/patches/0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
 create mode 100644 debian/patches/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch

diff --git a/debian/patches/0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch b/debian/patches/0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
new file mode 100644
index 0000000..39eceba
--- /dev/null
+++ b/debian/patches/0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
@@ -0,0 +1,48 @@
+From 6314c83ae14ee32835668e38bb55f4b93b800736 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Mon, 30 Nov 2015 15:38:22 +0800
+Subject: [PATCH 1/2] net: pcnet: add check to validate receive data
+ size(CVE-2015-7504)
+
+In loopback mode, pcnet_receive routine appends CRC code to the
+receive buffer. If the data size given is same as the buffer size,
+the appended CRC code overwrites 4 bytes after s->buffer. Added a
+check to avoid that.
+
+Reported by: Qinghao Tang <luodalongde at gmail.com>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/pcnet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 0eb3cc4..309c40b 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+                 uint32_t fcs = ~0;
+                 uint8_t *p = src;
+ 
+-                while (p != &src[size-4])
++                while (p != &src[size])
+                     CRC(fcs, *p++);
+                 crc_err = (*(uint32_t *)p != htonl(fcs));
+             }
+@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+ 
+         /* if multi-tmd packet outsizes s->buffer then skip it silently.
+-           Note: this is not what real hw does */
+-        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++         * Note: this is not what real hw does.
++         * Last four bytes of s->buffer are used to store CRC FCS code.
++         */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+             s->xmit_pos = -1;
+             goto txdone;
+         }
+-- 
+2.1.4
+
diff --git a/debian/patches/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch b/debian/patches/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
new file mode 100644
index 0000000..72c8d25
--- /dev/null
+++ b/debian/patches/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
@@ -0,0 +1,36 @@
+From 59fb70f22143eccdf74639871e862df0c2f570fc Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang at redhat.com>
+Date: Mon, 30 Nov 2015 15:38:23 +0800
+Subject: [PATCH 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
+
+Backends could provide a packet whose length is greater than buffer
+size. Check for this and truncate the packet to avoid rx buffer
+overflow in this case.
+
+Cc: Prasad J Pandit <pjp at fedoraproject.org>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/pcnet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 309c40b..1f4a3db 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+             int pktcount = 0;
+ 
+             if (!s->looptest) {
++                if (size > 4092) {
++#ifdef PCNET_DEBUG_RMD
++                    fprintf(stderr, "pcnet: truncates rx packet.\n");
++#endif
++                    size = 4092;
++                }
+                 memcpy(src, buf, size);
+                 /* no need to compute the CRC */
+                 src[size] = 0;
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 60adfb8..6e92bcc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -35,3 +35,5 @@ jemalloc.patch
 mirror-fix-zero-init.patch
 fix-emulator-version-string.patch
 add_firewall_to_vma.patch
+0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
+0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
-- 
2.1.4




More information about the pve-devel mailing list