diff --git a/Drop-bogus-IPv6-messages.patch b/Drop-bogus-IPv6-messages.patch new file mode 100644 index 0000000000000000000000000000000000000000..2fc1e0e780e34b1570fbcfcc4581138c79e7fa46 --- /dev/null +++ b/Drop-bogus-IPv6-messages.patch @@ -0,0 +1,30 @@ +From e8b555c08061ad78920611a5e98ee14fcd967692 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Fri, 11 Sep 2020 10:55:49 +0800 +Subject: [PATCH] Drop bogus IPv6 messages + +Drop IPv6 message shorter than what's mentioned in the playload +length header (+the size of IPv6 header). They're invalid and could +lead to data leakage in icmp6_send_echoreply(). + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index d9d2b7e..c2dce52 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) + goto bad; + } + ++ // Check if the message size is big enough to hold what's ++ // set in the payload length header. If not this is an invalid ++ // packet ++ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { ++ goto bad; ++ } ++ + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +1.8.3.1 + diff --git a/qemu.spec b/qemu.spec index 74162a1452e2384333f19e7b15cdd56a6b783efa..a26648c4cb3c564f11e767643749a56f30108147 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 23 +Release: 24 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -228,6 +228,7 @@ Patch0215: target-arm-Update-ID-fields.patch Patch0216: target-arm-Add-more-CPU-features.patch Patch0217: hw-usb-core-fix-buffer-overflow.patch Patch0218: target-arm-ignore-evtstrm-and-cpuid-CPU-features.patch +Patch0219: Drop-bogus-IPv6-messages.patch BuildRequires: flex BuildRequires: bison @@ -574,6 +575,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Sep 11 2020 Huawei Technologies Co., Ltd +- slirp/src/ip6_input.c: fix out-of-bounds read information vulnerability + * Tue Sep 08 2020 Huawei Technologies Co., Ltd - target/arm: ignore evtstrm and cpuid CPU features