From 42f23fa4e7a65a65b137eaef98c8c57172242e79 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Fri, 22 May 2020 11:17:40 +0800
Subject: [PATCH] CVE: Fix CVE-2019-15890

this patch fix CVE-2019-15890, upstream patch url:
https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943

Signed-off-by: Ying Fang <fangying1@huawei.com>
---
 ip_reass-Fix-use-after-free.patch | 40 +++++++++++++++++++++++++++++++
 qemu.spec                         |  4 ++++
 2 files changed, 44 insertions(+)
 create mode 100644 ip_reass-Fix-use-after-free.patch

diff --git a/ip_reass-Fix-use-after-free.patch b/ip_reass-Fix-use-after-free.patch
new file mode 100644
index 0000000..b26e8af
--- /dev/null
+++ b/ip_reass-Fix-use-after-free.patch
@@ -0,0 +1,40 @@
+From 63b07dfe20a0d4971b0929d27359f478ba2d816b Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Fri, 22 May 2020 10:52:55 +0800
+Subject: [PATCH] ip_reass: Fix use after free
+
+Using ip_deq after m_free might read pointers from an allocation reuse.
+
+This would be difficult to exploit, but that is still related with
+CVE-2019-14378 which generates fragmented IP packets that would trigger this
+issue and at least produce a DoS.
+Signed-off-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+
+diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
+index 8c75d91..c07d7d4 100644
+--- a/slirp/src/ip_input.c
++++ b/slirp/src/ip_input.c
+@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
+      */
+     while (q != (struct ipasfrag *)&fp->frag_link &&
+            ip->ip_off + ip->ip_len > q->ipf_off) {
++        struct ipasfrag *prev;
+         i = (ip->ip_off + ip->ip_len) - q->ipf_off;
+         if (i < q->ipf_len) {
+             q->ipf_len -= i;
+@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
+             m_adj(dtom(slirp, q), i);
+             break;
+         }
++        prev = q;
+         q = q->ipf_next;
+-        m_free(dtom(slirp, q->ipf_prev));
+-        ip_deq(q->ipf_prev);
++        ip_deq(prev);
++        m_free(dtom(slirp, prev));
+     }
+ 
+ insert:
+-- 
+1.8.3.1
+
diff --git a/qemu.spec b/qemu.spec
index c6d487b..68cc7d6 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -165,6 +165,7 @@ Patch0152: arm-virt-Support-CPU-cold-plug.patch
 Patch0153: ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
 Patch0154: ati-vga-Fix-checks-in-ati_2d_blt-to-avoid-crash.patch
 Patch0155: slirp-tftp-restrict-relative-path-access.patch
+Patch0156: ip_reass-Fix-use-after-free.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -510,6 +511,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Fri May 22 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
+- ip_reass: Fix use after free 
+
 * Fri May 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
 - ati-vga: Fix checks in ati_2d_blt() to avoid crash