debian/patches/old/CVE-2015-8743-ne2000-ioport-bounds-check.patch

   1 From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Thu, 31 Dec 2015 17:05:27 +0530
   4 Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
   5
   6 While doing ioport r/w operations, ne2000 device emulation suffers
   7 from OOB r/w errors. Update respective array bounds check to avoid
   8 OOB access.
   9
  10 Reported-by: Ling Liu <liuling-it@360.cn>
  11 Cc: qemu-stable@nongnu.org
  12 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  13 Signed-off-by: Jason Wang <jasowang@redhat.com>
  14 ---
  15  hw/net/ne2000.c | 10 ++++++----
  16  1 file changed, 6 insertions(+), 4 deletions(-)
  17
  18 diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
  19 index 010f9ef..a3dffff 100644
  20 --- a/hw/net/ne2000.c
  21 +++ b/hw/net/ne2000.c
  22 @@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
  23                                       uint32_t val)
  24  {
  25      addr &= ~1; /* XXX: check exact behaviour if not even */
  26 -    if (addr < 32 ||
  27 -        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
  28 +    if (addr < 32
  29 +        || (addr >= NE2000_PMEM_START
  30 +            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
  31          stl_le_p(s->mem + addr, val);
  32      }
  33  }
  34 @@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
  35  static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
  36  {
  37      addr &= ~1; /* XXX: check exact behaviour if not even */
  38 -    if (addr < 32 ||
  39 -        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
  40 +    if (addr < 32
  41 +        || (addr >= NE2000_PMEM_START
  42 +            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
  43          return ldl_le_p(s->mem + addr);
  44      } else {
  45          return 0xffffffff;
  46 --
  47 2.1.4
  48