Skip to content

Commit

Permalink
qemu: apply patch for CVE-2020-27617
Browse files Browse the repository at this point in the history 
An assert(3) failure issue was found in the networking helper functions of QEMU. It could occur in the eth_get_gso_type() routine, if a packet does not have a valid networking L3 protocol (ex. IPv4, IPv6) value. A guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

Fixes: CVE-2020-27617
(cherry picked from commit 0c54b75)
  • Loading branch information
@mweinelt
mweinelt committed Nov 9, 2020
1 parent 96052f3 commit 48a737c
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 0 deletions.
43 changes: 43 additions & 0 deletions pkgs/applications/virtualization/qemu/CVE-2020-27617.patch
View file
@@ -0,0 +1,43 @@
From 6d19c0cc6c5a9bba308fc29d7c0edc2dc372c41b Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 21 Oct 2020 11:35:50 +0530
Subject: [PATCH] net: remove an assert call in eth_get_gso_type

eth_get_gso_type() routine returns segmentation offload type based on
L3 protocol type. It calls g_assert_not_reached if L3 protocol is
unknown, making the following return statement unreachable. Remove the
g_assert call, it maybe triggered by a guest user.

Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
net/eth.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/eth.c b/net/eth.c
index 0c1d413ee2..eee77071f9 100644
--- a/net/eth.c
+++ b/net/eth.c
@@ -16,6 +16,7 @@
*/

#include "qemu/osdep.h"
+#include "qemu/log.h"
#include "net/eth.h"
#include "net/checksum.h"
#include "net/tap.h"
@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
}
}
-
- /* Unsupported offload */
- g_assert_not_reached();
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: probably not GSO frame, "
+ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);

return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
}
--
2.28.0

1 change: 1 addition & 0 deletions pkgs/applications/virtualization/qemu/default.nix
View file
Expand Up @@ -79,6 +79,7 @@ stdenv.mkDerivation rec {
./no-etc-install.patch
./fix-qemu-ga.patch
./9p-ignore-noatime.patch
./CVE-2020-27617.patch
] ++ optional nixosTestRunner ./force-uid0-on-9p.patch
++ optionals stdenv.hostPlatform.isMusl [
(fetchpatch {
Expand Down

0 comments on commit 48a737c

Please sign in to comment.