From ac1746db5da6d1aeaf7287146a7174a915f1239a Mon Sep 17 00:00:00 2001 From: Jiajie Li Date: Fri, 11 Sep 2020 10:18:30 +0800 Subject: [PATCH 1/2] slirp/src/ip6_input.c: pick patch for CVE-2020-10756 from upstream Drop IPv6 message shorter than what's mentioned in the payload length header (+ the size of the IPv6 header). Thery're invalid and could lead to data leakage in icmp6_send_echoreply(). --- qemu.spec | 6 +++- ...g-fix-out-of-bounds-read-information.patch | 36 +++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 slirp-networking-fix-out-of-bounds-read-information.patch diff --git a/qemu.spec b/qemu.spec index 5fc44c4..6bb674a 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 26 +Release: 27 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -279,6 +279,7 @@ Patch0266: migration-multifd-not-use-multifd-during-postcopy.patch Patch0267: migration-Define-VMSTATE_INSTANCE_ID_ANY.patch Patch0268: migration-Change-SaveStateEntry.instance_id-into-uin.patch Patch0269: apic-Use-32bit-APIC-ID-for-migration-instance-ID.patch +Patch0270: slirp-networking-fix-out-of-bounds-read-information.patch BuildRequires: flex BuildRequires: bison @@ -625,6 +626,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri sep 11 2020 Huawei Technologies Co., Ltd +- slirp-networking-fix-out-of-bounds-read-information.patch + * Thu sep 10 2020 Huawei Technologies Co., Ltd - apic-Use-32bit-APIC-ID-for-migration-instance-ID.patch - audio-fix-integer-overflow.patch diff --git a/slirp-networking-fix-out-of-bounds-read-information.patch b/slirp-networking-fix-out-of-bounds-read-information.patch new file mode 100644 index 0000000..e5a1914 --- /dev/null +++ b/slirp-networking-fix-out-of-bounds-read-information.patch @@ -0,0 +1,36 @@ +From 353521693d409d3800fa9bb29981bf15b7be9729 Mon Sep 17 00:00:00 2001 +From: Jiajie Li +Date: Thu, 10 Sep 2020 10:49:36 +0800 +Subject: [PATCH] Init slirp/src/ip6_input.c + +Drop Ipv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). Ther're invalid and could +lead to data leakage in icmp6_send_echoreply(). + +Signed-off-by Ralf Haferkamp + +--- + slirp/src/ip6_input.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index c966d91..d9d2b7e 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,13 +49,6 @@ void ip6_input(struct mbuf *m) + goto bad; + } + +- // Check if the message size is big enough to hold what's +- // set in the payload length header. If not this is an invalid +- // packet +- if(m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)){ +- goto bad; +- } +- + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +1.8.3.1 + -- Gitee From 6e8cd0aa40203004d40439c1c5b63d856b4865ed Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Fri, 11 Sep 2020 11:19:23 +0800 Subject: [PATCH 2/2] Drop bogus IPv6 messages Drop IPv6 message shorter than what's mentioned in the payload length header (+ the size of the IPv6 header). They're invalid and could lead to data leakage in icmp6_send_echoreply(). --- ...on.patch => Drop-bogus-IPv6-messages.patch | 36 ++++++++----------- qemu.spec | 4 +-- 2 files changed, 17 insertions(+), 23 deletions(-) rename slirp-networking-fix-out-of-bounds-read-information.patch => Drop-bogus-IPv6-messages.patch (32%) diff --git a/slirp-networking-fix-out-of-bounds-read-information.patch b/Drop-bogus-IPv6-messages.patch similarity index 32% rename from slirp-networking-fix-out-of-bounds-read-information.patch rename to Drop-bogus-IPv6-messages.patch index e5a1914..2fc1e0e 100644 --- a/slirp-networking-fix-out-of-bounds-read-information.patch +++ b/Drop-bogus-IPv6-messages.patch @@ -1,33 +1,27 @@ -From 353521693d409d3800fa9bb29981bf15b7be9729 Mon Sep 17 00:00:00 2001 -From: Jiajie Li -Date: Thu, 10 Sep 2020 10:49:36 +0800 -Subject: [PATCH] Init slirp/src/ip6_input.c +From e8b555c08061ad78920611a5e98ee14fcd967692 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Fri, 11 Sep 2020 10:55:49 +0800 +Subject: [PATCH] Drop bogus IPv6 messages -Drop Ipv6 message shorter than what's mentioned in the payload -length header (+ the size of the IPv6 header). Ther're invalid and could +Drop IPv6 message shorter than what's mentioned in the playload +length header (+the size of IPv6 header). They're invalid and could lead to data leakage in icmp6_send_echoreply(). -Signed-off-by Ralf Haferkamp - ---- - slirp/src/ip6_input.c | 7 ------- - 1 file changed, 7 deletions(-) - diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c -index c966d91..d9d2b7e 100644 +index d9d2b7e..c2dce52 100644 --- a/slirp/src/ip6_input.c +++ b/slirp/src/ip6_input.c -@@ -49,13 +49,6 @@ void ip6_input(struct mbuf *m) +@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) goto bad; } -- // Check if the message size is big enough to hold what's -- // set in the payload length header. If not this is an invalid -- // packet -- if(m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)){ -- goto bad; -- } -- ++ // Check if the message size is big enough to hold what's ++ // set in the payload length header. If not this is an invalid ++ // packet ++ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { ++ goto bad; ++ } ++ /* check ip_ttl for a correct ICMP reply */ if (ip6->ip_hl == 0) { icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); diff --git a/qemu.spec b/qemu.spec index 6bb674a..a6a76a5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -279,7 +279,7 @@ Patch0266: migration-multifd-not-use-multifd-during-postcopy.patch Patch0267: migration-Define-VMSTATE_INSTANCE_ID_ANY.patch Patch0268: migration-Change-SaveStateEntry.instance_id-into-uin.patch Patch0269: apic-Use-32bit-APIC-ID-for-migration-instance-ID.patch -Patch0270: slirp-networking-fix-out-of-bounds-read-information.patch +Patch0270: Drop-bogus-IPv6-messages.patch BuildRequires: flex BuildRequires: bison @@ -627,7 +627,7 @@ getent passwd qemu >/dev/null || \ %changelog * Fri sep 11 2020 Huawei Technologies Co., Ltd -- slirp-networking-fix-out-of-bounds-read-information.patch +- slir/src/ip6_input.c: fix out-of-bounds read information vulnerablity * Thu sep 10 2020 Huawei Technologies Co., Ltd - apic-Use-32bit-APIC-ID-for-migration-instance-ID.patch -- Gitee