From 053c5c6c24539e419d23c05ae1bbd5f279787275 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 30 Nov 2015 13:18:47 +0100
Subject: [PATCH] added fixes for CVE-2015-7504 and CVE-2015-7512

Affected components: pcnet (so not exposed via our GUI)

The patches were tagged for 2.5 but the code they're
modifying is still the same as it was in 2.4. They apply
and work.
---
 ...eck-to-validate-receive-data-size-CV.patch | 48 +++++++++++++++++++
 ...fix-rx-buffer-overflow-CVE-2015-7512.patch | 36 ++++++++++++++
 debian/patches/series                         |  2 +
 3 files changed, 86 insertions(+)
 create mode 100644 debian/patches/0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
 create mode 100644 debian/patches/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch

diff --git a/debian/patches/0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch b/debian/patches/0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
new file mode 100644
index 0000000..39eceba
--- /dev/null
+++ b/debian/patches/0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
@@ -0,0 +1,48 @@
+From 6314c83ae14ee32835668e38bb55f4b93b800736 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 30 Nov 2015 15:38:22 +0800
+Subject: [PATCH 1/2] net: pcnet: add check to validate receive data
+ size(CVE-2015-7504)
+
+In loopback mode, pcnet_receive routine appends CRC code to the
+receive buffer. If the data size given is same as the buffer size,
+the appended CRC code overwrites 4 bytes after s->buffer. Added a
+check to avoid that.
+
+Reported by: Qinghao Tang <luodalongde@gmail.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/pcnet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 0eb3cc4..309c40b 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+                 uint32_t fcs = ~0;
+                 uint8_t *p = src;
+ 
+-                while (p != &src[size-4])
++                while (p != &src[size])
+                     CRC(fcs, *p++);
+                 crc_err = (*(uint32_t *)p != htonl(fcs));
+             }
+@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+ 
+         /* if multi-tmd packet outsizes s->buffer then skip it silently.
+-           Note: this is not what real hw does */
+-        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++         * Note: this is not what real hw does.
++         * Last four bytes of s->buffer are used to store CRC FCS code.
++         */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+             s->xmit_pos = -1;
+             goto txdone;
+         }
+-- 
+2.1.4
+
diff --git a/debian/patches/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch b/debian/patches/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
new file mode 100644
index 0000000..72c8d25
--- /dev/null
+++ b/debian/patches/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
@@ -0,0 +1,36 @@
+From 59fb70f22143eccdf74639871e862df0c2f570fc Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 30 Nov 2015 15:38:23 +0800
+Subject: [PATCH 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
+
+Backends could provide a packet whose length is greater than buffer
+size. Check for this and truncate the packet to avoid rx buffer
+overflow in this case.
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/pcnet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 309c40b..1f4a3db 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+             int pktcount = 0;
+ 
+             if (!s->looptest) {
++                if (size > 4092) {
++#ifdef PCNET_DEBUG_RMD
++                    fprintf(stderr, "pcnet: truncates rx packet.\n");
++#endif
++                    size = 4092;
++                }
+                 memcpy(src, buf, size);
+                 /* no need to compute the CRC */
+                 src[size] = 0;
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 60adfb8..6e92bcc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -35,3 +35,5 @@ jemalloc.patch
 mirror-fix-zero-init.patch
 fix-emulator-version-string.patch
 add_firewall_to_vma.patch
+0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
+0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
-- 
2.39.2