2 files changed, 23 insertions, 1 deletions

diff --git a/system/qemu/qemu.SlackBuild b/system/qemu/qemu.SlackBuild
index c9c7c4698f..1da81e8417 100644
--- a/system/qemu/qemu.SlackBuild
+++ b/system/qemu/qemu.SlackBuild
@@ -40,10 +40,11 @@
 # 1.7	01-JAN-2015	    updated to 2.2.0 ; build and link static libusb option (rw, tm, SBo list)
 # 1.8	27-APR-2015     updated to version 2.3.0
 # 1.9   14-MAY-2015     patched for "Venom" CVE-2015-3456 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
+# 2.0   11-JUL-2015     patched for Heap-based buffer overflow in the PCNET controller CVE-2015-3209 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=9f7c594c006289ad41169b854d70f5da6e400a2a
 
 PRGNAM=qemu
 VERSION=${VERSION:-2.3.0}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
 TAG=${TAG:-_SBo}
 
 KVMGROUP=${KVMGROUP:-users}
@@ -140,6 +141,9 @@ fi
 # patch Venom bug CVE-2015-3456
 patch -p1 < $CWD/qemu_venom.patch
 
+# patch PCNET controller bug CVE-2015-3209
+patch -p1 < $CWD/qemu_pcnet.patch
+
 PKG_CONFIG_PATH+="${USBSTATIC}" \
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
diff --git a/system/qemu/qemu_pcnet.patch b/system/qemu/qemu_pcnet.patch
new file mode 100644
index 0000000000..5fc27c6069
--- /dev/null
+++ b/system/qemu/qemu_pcnet.patch
@@ -0,0 +1,18 @@
+index bdfd38f..68b9981 100644 (file)
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
+         }
+ 
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
++
++        /* if multi-tmd packet outsizes s->buffer then skip it silently.
++           Note: this is not what real hw does */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++            s->xmit_pos = -1;
++            goto txdone;
++        }
++
+         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+         s->xmit_pos += bcnt;
\ No newline at end of file