diff options
Diffstat (limited to 'pkgs/applications/virtualization/qemu')
| -rw-r--r-- | pkgs/applications/virtualization/qemu/CVE-2020-27617.patch | 43 | ||||
| -rw-r--r-- | pkgs/applications/virtualization/qemu/default.nix | 16 |
2 files changed, 59 insertions, 0 deletions
diff --git a/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch b/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch new file mode 100644 index 000000000000..fa708b298365 --- /dev/null +++ b/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch @@ -0,0 +1,43 @@ +From 6d19c0cc6c5a9bba308fc29d7c0edc2dc372c41b Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 21 Oct 2020 11:35:50 +0530 +Subject: [PATCH] net: remove an assert call in eth_get_gso_type + +eth_get_gso_type() routine returns segmentation offload type based on +L3 protocol type. It calls g_assert_not_reached if L3 protocol is +unknown, making the following return statement unreachable. Remove the +g_assert call, it maybe triggered by a guest user. + +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +--- + net/eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/eth.c b/net/eth.c +index 0c1d413ee2..eee77071f9 100644 +--- a/net/eth.c ++++ b/net/eth.c +@@ -16,6 +16,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "net/eth.h" + #include "net/checksum.h" + #include "net/tap.h" +@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto) + return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state; + } + } +- +- /* Unsupported offload */ +- g_assert_not_reached(); ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: probably not GSO frame, " ++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto); + + return VIRTIO_NET_HDR_GSO_NONE | ecn_state; + } +-- +2.28.0 + diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 3c8672057996..5d4b891ad5de 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -82,6 +82,13 @@ stdenv.mkDerivation rec { ./no-etc-install.patch ./fix-qemu-ga.patch ./9p-ignore-noatime.patch + ./CVE-2020-27617.patch + (fetchpatch { + # e1000e: infinite loop scenario in case of null packet descriptor, remove for QEMU >= 5.2.0-rc3 + name = "CVE-2020-28916.patch"; + url = "https://git.qemu.org/?p=qemu.git;a=patch;h=c2cb511634012344e3d0fe49a037a33b12d8a98a"; + sha256 = "1kvm6wl4vry0npiisxsn76h8nf1iv5fmqsyjvb46203f1yyg5pis"; + }) ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch ++ optionals stdenv.hostPlatform.isMusl [ (fetchpatch { @@ -99,6 +106,15 @@ stdenv.mkDerivation rec { }) ]; + # Remove CVE-2020-{29129,29130} for QEMU >5.1.0 + postPatch = '' + (cd slirp && patch -p1 < ${fetchpatch { + name = "CVE-2020-29129_CVE-2020-29130.patch"; + url = "https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f.patch"; + sha256 = "01vbjqgnc0kp881l5p6b31cyyirhwhavm6x36hlgkymswvl3wh9w"; + }}) + ''; + hardeningDisable = [ "stackprotector" ]; preConfigure = '' |