diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-11-02 14:01:01 +0100 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-11-02 14:01:01 +0100 |
| commit | 0c54b757e9c2eeeb086b0977b14dff4c456b7d4a (patch) | |
| tree | 10cddcbecaa1f72b07f75690c91c4a2c9e637780 /pkgs/applications/virtualization | |
| parent | 92781c27bd16862e50f6e9b65a01d12d843cca59 (diff) | |
qemu: apply patch for CVE-2020-27617
An assert(3) failure issue was found in the networking helper functions of QEMU. It could occur in the eth_get_gso_type() routine, if a packet does not have a valid networking L3 protocol (ex. IPv4, IPv6) value. A guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
Fixes: CVE-2020-27617
Diffstat (limited to 'pkgs/applications/virtualization')
| -rw-r--r-- | pkgs/applications/virtualization/qemu/CVE-2020-27617.patch | 43 | ||||
| -rw-r--r-- | pkgs/applications/virtualization/qemu/default.nix | 1 |
2 files changed, 44 insertions, 0 deletions
diff --git a/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch b/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch new file mode 100644 index 000000000000..fa708b298365 --- /dev/null +++ b/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch @@ -0,0 +1,43 @@ +From 6d19c0cc6c5a9bba308fc29d7c0edc2dc372c41b Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 21 Oct 2020 11:35:50 +0530 +Subject: [PATCH] net: remove an assert call in eth_get_gso_type + +eth_get_gso_type() routine returns segmentation offload type based on +L3 protocol type. It calls g_assert_not_reached if L3 protocol is +unknown, making the following return statement unreachable. Remove the +g_assert call, it maybe triggered by a guest user. + +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +--- + net/eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/eth.c b/net/eth.c +index 0c1d413ee2..eee77071f9 100644 +--- a/net/eth.c ++++ b/net/eth.c +@@ -16,6 +16,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "net/eth.h" + #include "net/checksum.h" + #include "net/tap.h" +@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto) + return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state; + } + } +- +- /* Unsupported offload */ +- g_assert_not_reached(); ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: probably not GSO frame, " ++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto); + + return VIRTIO_NET_HDR_GSO_NONE | ecn_state; + } +-- +2.28.0 + diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 3c8672057996..2bace4f258d7 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -82,6 +82,7 @@ stdenv.mkDerivation rec { ./no-etc-install.patch ./fix-qemu-ga.patch ./9p-ignore-noatime.patch + ./CVE-2020-27617.patch ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch ++ optionals stdenv.hostPlatform.isMusl [ (fetchpatch { |