|
 |
169b9a |
From b25ccac372f3289d7b0b5500064fe0a38eb32d6f Mon Sep 17 00:00:00 2001
|
|
|
169b9a |
From: Xiao Wang <jasowang@redhat.com>
|
|
|
169b9a |
Date: Wed, 8 Aug 2018 08:44:36 +0200
|
|
|
169b9a |
Subject: [PATCH 4/4] slirp: Correct size check in m_inc()
|
|
|
169b9a |
|
|
|
169b9a |
RH-Author: Xiao Wang <jasowang@redhat.com>
|
|
|
169b9a |
Message-id: <1533717876-2330-1-git-send-email-jasowang@redhat.com>
|
|
|
169b9a |
Patchwork-id: 81676
|
|
|
169b9a |
O-Subject: [RHEL-7.6/7.5z qemu-kvm PATCH] slirp: Correct size check in m_inc()
|
|
|
169b9a |
Bugzilla: 1586253
|
|
|
169b9a |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
169b9a |
RH-Acked-by: wexu@redhat.com
|
|
|
169b9a |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
169b9a |
|
|
|
169b9a |
From: Peter Maydell <peter.maydell@linaro.org>
|
|
|
169b9a |
|
|
|
169b9a |
Notes:
|
|
|
169b9a |
- Conflict since we lacks 6da5de1ee87e ("slirp: reformat m_inc
|
|
|
169b9a |
routine"), and its backport has various other dependicies.
|
|
|
169b9a |
- This is a fixup for CVE-2018-11806 fix
|
|
|
169b9a |
|
|
|
169b9a |
The data in an mbuf buffer is not necessarily at the start of the
|
|
|
169b9a |
allocated buffer. (For instance m_adj() allows data to be trimmed
|
|
|
169b9a |
from the start by just advancing the pointer and reducing the length.)
|
|
|
169b9a |
This means that the allocated buffer size (m->m_size) and the
|
|
|
169b9a |
amount of space from the m_data pointer to the end of the
|
|
|
169b9a |
buffer (M_ROOM(m)) are not necessarily the same.
|
|
|
169b9a |
|
|
|
169b9a |
Commit 864036e251f54c9 tried to change the m_inc() function from
|
|
|
169b9a |
taking the new allocated-buffer-size to taking the new room-size,
|
|
|
169b9a |
but forgot to change the initial "do we already have enough space"
|
|
|
169b9a |
check. This meant that if we were trying to extend a buffer which
|
|
|
169b9a |
had a leading gap between the buffer start and the data, we might
|
|
|
169b9a |
incorrectly decide it didn't need to be extended, and then
|
|
|
169b9a |
overrun the end of the buffer, causing memory corruption and
|
|
|
169b9a |
an eventual crash.
|
|
|
169b9a |
|
|
|
169b9a |
Change the "already big enough?" condition from checking the
|
|
|
169b9a |
argument against m->m_size to checking against M_ROOM().
|
|
|
169b9a |
This only makes a difference for the callsite in m_cat();
|
|
|
169b9a |
the other three callsites all start with a freshly allocated
|
|
|
169b9a |
mbuf from m_get(), which will have m->m_size == M_ROOM(m).
|
|
|
169b9a |
|
|
|
169b9a |
Fixes: 864036e251f54c9
|
|
|
169b9a |
Fixes: https://bugs.launchpad.net/qemu/+bug/1785670
|
|
|
169b9a |
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
|
169b9a |
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
169b9a |
Message-id: 20180807114501.12370-1-peter.maydell@linaro.org
|
|
|
169b9a |
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
169b9a |
(cherry picked from commit c22098c74a09164797fae6511c5eaf68f32c4dd8)
|
|
|
169b9a |
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
|
169b9a |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
169b9a |
---
|
|
|
169b9a |
slirp/mbuf.c | 6 ++++--
|
|
|
169b9a |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
169b9a |
|
|
|
169b9a |
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
|
|
|
169b9a |
index ced2033..63f071f 100644
|
|
|
169b9a |
--- a/slirp/mbuf.c
|
|
|
169b9a |
+++ b/slirp/mbuf.c
|
|
|
169b9a |
@@ -154,8 +154,10 @@ m_inc(struct mbuf *m, int size)
|
|
|
169b9a |
{
|
|
|
169b9a |
int datasize;
|
|
|
169b9a |
|
|
|
169b9a |
- /* some compiles throw up on gotos. This one we can fake. */
|
|
|
169b9a |
- if(m->m_size>size) return;
|
|
|
169b9a |
+ /* some compilers throw up on gotos. This one we can fake. */
|
|
|
169b9a |
+ if (M_ROOM(m) > size) {
|
|
|
169b9a |
+ return;
|
|
|
169b9a |
+ }
|
|
|
169b9a |
|
|
|
169b9a |
if (m->m_flags & M_EXT) {
|
|
|
169b9a |
datasize = m->m_data - m->m_ext;
|
|
|
169b9a |
--
|
|
|
169b9a |
1.8.3.1
|
|
|
169b9a |
|