slirp: Fix CVE-2020-1983

upstream url: 9bd6c59132 Signed-off-by: Ying Fang <fangying1@huawei.com>
2020-04-24 11:39:53 +08:00 · 2020-04-24 11:39:53 +08:00 · 8f8df3ea84
commit 8f8df3ea84
parent e21eae0df2
2 changed files with 50 additions and 2 deletions
--- a/Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
+++ b/Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
@ -0,0 +1,44 @@
 From 477c7aea5f2f9090c016c0a9813dc5901bd1b66a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
 Date: Fri, 24 Apr 2020 11:36:41 +0800
 Subject: [PATCH] Fix use-afte-free in ip_reass() (CVE-2020-1983)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The q pointer is updated when the mbuf data is moved from m_dat to
 m_ext.
 m_ext buffer may also be realloc()'ed and moved during m_cat():
 q should also be updated in this case.
 Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
 diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
 index 89ae04e0..7fdde631 100644
 --- a/slirp/src/ip_input.c
 +++ b/slirp/src/ip_input.c
@@ -333,7 +333,7 @@ insert:
     q = fp->frag_link.next;
 	m = dtom(slirp, q);
 -	int was_ext = m->m_flags & M_EXT;
 +	int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
 	q = (struct ipasfrag *) q->ipf_next;
 	while (q != (struct ipasfrag*)&fp->frag_link) {
@@ -356,8 +356,7 @@ insert:
 	 * then an m_ext buffer was alloced. But fp->ipq_next points to the old
 	 * buffer (in the mbuf), so we must point ip into the new buffer.
 	 */
 -	if (!was_ext && m->m_flags & M_EXT) {
 -	  int delta = (char *)q - m->m_dat;
 +	if (m->m_flags & M_EXT) {
 	  q = (struct ipasfrag *)(m->m_ext + delta);
 	}
 -- 
 2.23.0
--- a/qemu.spec
+++ b/qemu.spec
@ -47,7 +47,7 @@ Patch0034: tcp_emu-Fix-oob-access.patch
 Patch0035: slirp-use-correct-size-while-emulating-IRC-commands.patch
 Patch0036: slirp-use-correct-size-while-emulating-commands.patch
 Patch0037: tcp_emu-fix-unsafe-snprintf-usages.patch
-Patch0038: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch 
+Patch0038: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch
 Patch0039: monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
 Patch0040: vhost-Fix-memory-region-section-comparison.patch
 Patch0041: memory-Align-MemoryRegionSections-fields.patch
@ -63,6 +63,7 @@ Patch0050: pcie-Add-pcie-root-port-fast-plug-unplug-feature.patch
 Patch0051: pcie-Compat-with-devices-which-do-not-support-Link-W.patch
 Patch0052: aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
 Patch0053: async-use-explicit-memory-barriers.patch
 Patch0054: Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
 BuildRequires: flex
 BuildRequires: bison
@ -398,7 +399,10 @@ getent passwd qemu >/dev/null || \
 %endif
 %changelog
-* Sat Apr 11 4 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
+* Fri Apr 24 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - Fix use-afte-free in ip_reass() (CVE-2020-1983)
 * Sat Apr 11 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - aio-wait: delegate polling of main AioContext if BQL not held
 - async: use explicit memory barriers