From c3f268000e02651f6c9fdeacfd115cc479c35b17 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 1 Dec 2020 16:54:21 +0100
Subject: qemu: fix CVE-2020-28916

While receiving packets via e1000e_write_packet_to_guest an infinite
loop could be triggered if the receive descriptor had a NULL buffer
address.

A privileged guest user could use this to induce a DoS Scenario.

Fixes: CVE-2020-28916
---
 pkgs/applications/virtualization/qemu/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'pkgs/applications/virtualization')

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 163a87d7072f..5d4b891ad5de 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -83,6 +83,12 @@ stdenv.mkDerivation rec {
     ./fix-qemu-ga.patch
     ./9p-ignore-noatime.patch
     ./CVE-2020-27617.patch
+    (fetchpatch {
+      # e1000e: infinite loop scenario in case of null packet descriptor, remove for QEMU >= 5.2.0-rc3
+      name = "CVE-2020-28916.patch";
+      url = "https://git.qemu.org/?p=qemu.git;a=patch;h=c2cb511634012344e3d0fe49a037a33b12d8a98a";
+      sha256 = "1kvm6wl4vry0npiisxsn76h8nf1iv5fmqsyjvb46203f1yyg5pis";
+    })
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch
     ++ optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {
-- 
cgit v1.2.3