[pkgsrc/pkgsrc-2015Q1]: pkgsrc/sysutils/xenkernel45 Pullup ticket #4743 - req...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/pkgsrc-2015Q1]: pkgsrc/sysutils/xenkernel45 Pullup ticket #4743 - req...
From: spz <spz%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 17:38:51 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/52b107daad9c
branches:  pkgsrc-2015Q1
changeset: 649276:52b107daad9c
user:      spz <spz%pkgsrc.org@localhost>
date:      Sat Jun 13 09:13:34 2015 +0000

description:
Pullup ticket #4743 - requested by khorben
sysutils/xenkernel45: security patch

Revisions pulled up:
- sysutils/xenkernel45/Makefile                                 1.8
- sysutils/xenkernel45/distinfo                                 1.7
- sysutils/xenkernel45/patches/patch-CVE-2015-3456              1.1

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        khorben
   Date:                Fri Jun  5 17:15:04 UTC 2015

   Modified Files:
        pkgsrc/sysutils/xenkernel45: Makefile distinfo
   Added Files:
        pkgsrc/sysutils/xenkernel45/patches: patch-CVE-2015-3456

   Log Message:
   Apply fixes from upstream for XSA-133

   Privilege escalation via emulated floppy disk drive

   The code in qemu which emulates a floppy disk controller did not
   correctly bounds check accesses to an array and therefore was
   vulnerable to a buffer overflow attack.

   A guest which has access to an emulated floppy device can exploit this
   vulnerability to take over the qemu process elevating its privilege to
   that of the qemu process.

   All Xen systems running x86 HVM guests without stubdomains are
   vulnerable to this depending on the specific guest configuration. The
   default configuration is vulnerable.

   Guests using either the traditional "qemu-xen" or upstream qemu device
   models are vulnerable.
   Guests using a qemu-dm stubdomain to run the device model are only
   vulnerable to takeover of that service domain.

   Systems running only x86 PV guests are not vulnerable.
   ARM systems are not vulnerable.


   To generate a diff of this commit:
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/xenkernel45/Makefile
   cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/xenkernel45/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel45/patches/patch-CVE-2015-3456

diffstat:

 sysutils/xenkernel45/Makefile                    |    4 +-
 sysutils/xenkernel45/distinfo                    |    3 +-
 sysutils/xenkernel45/patches/patch-CVE-2015-3456 |  131 +++++++++++++++++++++++
 3 files changed, 135 insertions(+), 3 deletions(-)

diffs (167 lines):

diff -r f7d1de6fee0e -r 52b107daad9c sysutils/xenkernel45/Makefile
--- a/sysutils/xenkernel45/Makefile     Sat Jun 13 07:03:28 2015 +0000
+++ b/sysutils/xenkernel45/Makefile     Sat Jun 13 09:13:34 2015 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.5.2.2 2015/04/29 21:16:43 tron Exp $
+# $NetBSD: Makefile,v 1.5.2.3 2015/06/13 09:13:34 spz Exp $
 
 VERSION=       4.5.0
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel45-${VERSION}
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    sysutils
 MASTER_SITES=  http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff -r f7d1de6fee0e -r 52b107daad9c sysutils/xenkernel45/distinfo
--- a/sysutils/xenkernel45/distinfo     Sat Jun 13 07:03:28 2015 +0000
+++ b/sysutils/xenkernel45/distinfo     Sat Jun 13 09:13:34 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4.2.2 2015/04/29 21:16:43 tron Exp $
+$NetBSD: distinfo,v 1.4.2.3 2015/06/13 09:13:34 spz Exp $
 
 SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637
 RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45
@@ -9,6 +9,7 @@
 SHA1 (patch-CVE-2015-2751) = b0ab727ae01291a0e4ea2efe3931b6cd00df1a39
 SHA1 (patch-CVE-2015-2752) = 390edab296a91c83197205dce7030cbdd60e0d78
 SHA1 (patch-CVE-2015-2756) = e76490b858e213d09d326b413004d29a7e177b20
+SHA1 (patch-CVE-2015-3456) = c81924ca3b562f8cc64a3dcce81fe730e838910a
 SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
 SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe
 SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
diff -r f7d1de6fee0e -r 52b107daad9c sysutils/xenkernel45/patches/patch-CVE-2015-3456
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel45/patches/patch-CVE-2015-3456  Sat Jun 13 09:13:34 2015 +0000
@@ -0,0 +1,131 @@
+$NetBSD: patch-CVE-2015-3456,v 1.1.2.2 2015/06/13 09:13:34 spz Exp $
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse%redhat.com@localhost>
+Reviewed-by: John Snow <jsnow%redhat.com@localhost>
+
+--- tools/qemu-xen/hw/block/fdc.c
++++ tools/qemu-xen/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+--- tools/qemu-xen-traditional/hw/fdc.c
++++ tools/qemu-xen-traditional/hw/fdc.c
+@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+ {
+     fdrive_t *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+     fdrive_t *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+     fdrive_t *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
Prev by Date: [pkgsrc/trunk]: pkgsrc/graphics/ruby-opengl Update ruby-opengl to 0.60.1.
Next by Date: [pkgsrc/trunk]: pkgsrc/doc Note update of www/typolight28-translations packag...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/graphics/ruby-opengl Update ruby-opengl to 0.60.1.
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc Note update of www/typolight28-translations packag...
Indexes:
Home | Main Index | Thread Index | Old Index