From 4a01f1844bcfb8c1efb04f50178fc3a58933ef53 Mon Sep 17 00:00:00 2001 From: Jiajie Li Date: Fri, 11 Sep 2020 10:30:16 +0800 Subject: [PATCH] slirp/src/ip6_input.c: pick patch for CVE-2020-10756 from upstream Drop IPv6 message shorter than what's mentioned in the payload length header (+ the size of the IPv6 header). They're invalid and could lead to data leakage in icmp6_send_echoreply(). --- qemu.spec | 6 +++- ...g-fix-out-of-bounds-read-information.patch | 36 +++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 slirp-networking-fix-out-of-bounds-read-information.patch diff --git a/qemu.spec b/qemu.spec index 115f3f6d..ac5719a2 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 18 +Release: 19 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -184,6 +184,7 @@ Patch0171: megasas-use-unsigned-type-for-positive-numeric-field.patch Patch0172: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch Patch0173: hw-arm-acpi-enable-SHPC-native-hot-plug.patch PATCH0174: hw-usb-core-fix-buffer-overflow.patch +Patch0175: slirp-networking-fix-out-of-bounds-read-information.patch BuildRequires: flex BuildRequires: bison @@ -529,6 +530,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Sep 11 2020 Huawei Technologies Co., Ltd +- slirp/src/ip6_input.c: fix out-of-bounds read information vulnerablity + * Thu Aug 27 2020 Huawei Technologies Co., Ltd - hw/usb/core.c: fix buffer overflow in do_token_setup function diff --git a/slirp-networking-fix-out-of-bounds-read-information.patch b/slirp-networking-fix-out-of-bounds-read-information.patch new file mode 100644 index 00000000..e5a19147 --- /dev/null +++ b/slirp-networking-fix-out-of-bounds-read-information.patch @@ -0,0 +1,36 @@ +From 353521693d409d3800fa9bb29981bf15b7be9729 Mon Sep 17 00:00:00 2001 +From: Jiajie Li +Date: Thu, 10 Sep 2020 10:49:36 +0800 +Subject: [PATCH] Init slirp/src/ip6_input.c + +Drop Ipv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). Ther're invalid and could +lead to data leakage in icmp6_send_echoreply(). + +Signed-off-by Ralf Haferkamp + +--- + slirp/src/ip6_input.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index c966d91..d9d2b7e 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,13 +49,6 @@ void ip6_input(struct mbuf *m) + goto bad; + } + +- // Check if the message size is big enough to hold what's +- // set in the payload length header. If not this is an invalid +- // packet +- if(m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)){ +- goto bad; +- } +- + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +1.8.3.1 + -- Gitee