pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2015Q1]: pkgsrc/sysutils/xentools45 Pullup ticket #4744 - requ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/b9d2e94cfae6
branches: pkgsrc-2015Q1
changeset: 649277:b9d2e94cfae6
user: spz <spz%pkgsrc.org@localhost>
date: Sat Jun 13 09:13:41 2015 +0000
description:
Pullup ticket #4744 - requested by khorben
sysutils/xentools45: security patch
Revisions pulled up:
- sysutils/xentools45/Makefile 1.7
- sysutils/xentools45/distinfo 1.7
- sysutils/xentools45/patches/patch-CVE-2015-3456 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: khorben
Date: Fri Jun 5 18:15:42 UTC 2015
Modified Files:
pkgsrc/sysutils/xentools45: Makefile distinfo
Added Files:
pkgsrc/sysutils/xentools45/patches: patch-CVE-2015-3456
Log Message:
Apply fixes from upstream for XSA-133
The patch really belongs here rather than in sysutils/xenkernel45 (where
it is already applied).
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/xentools45/Makefile \
pkgsrc/sysutils/xentools45/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/sysutils/xentools45/patches/patch-CVE-2015-3456
diffstat:
sysutils/xentools45/Makefile | 4 +-
sysutils/xentools45/distinfo | 3 +-
sysutils/xentools45/patches/patch-CVE-2015-3456 | 131 ++++++++++++++++++++++++
3 files changed, 135 insertions(+), 3 deletions(-)
diffs (169 lines):
diff -r 52b107daad9c -r b9d2e94cfae6 sysutils/xentools45/Makefile
--- a/sysutils/xentools45/Makefile Sat Jun 13 09:13:34 2015 +0000
+++ b/sysutils/xentools45/Makefile Sat Jun 13 09:13:41 2015 +0000
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.5.2.1 2015/04/29 21:11:13 tron Exp $
+# $NetBSD: Makefile,v 1.5.2.2 2015/06/13 09:13:41 spz Exp $
VERSION= 4.5.0
VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e
DISTNAME= xen-${VERSION}
PKGNAME= xentools45-${VERSION}
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff -r 52b107daad9c -r b9d2e94cfae6 sysutils/xentools45/distinfo
--- a/sysutils/xentools45/distinfo Sat Jun 13 09:13:34 2015 +0000
+++ b/sysutils/xentools45/distinfo Sat Jun 13 09:13:41 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.5.2.1 2015/04/29 21:11:13 tron Exp $
+$NetBSD: distinfo,v 1.5.2.2 2015/06/13 09:13:41 spz Exp $
SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -18,6 +18,7 @@
SHA1 (patch-CVE-2015-2152) = 5a1cabf330b3a1bd902adf2b33dd5c4c32b8ab9d
SHA1 (patch-CVE-2015-2752) = 85bcb80dab938b85da3342e7001d95bacf7f49e5
SHA1 (patch-CVE-2015-2756) = 350cfd57a77d90997b81c7186e320bb52fb62d75
+SHA1 (patch-CVE-2015-3456) = 268b4dcb47bdf760e146b81184022e46d8a9d2d7
SHA1 (patch-Makefile) = 5d5b9678ed9764275ee95f49d24e8538a0e8a01c
SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50
SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
diff -r 52b107daad9c -r b9d2e94cfae6 sysutils/xentools45/patches/patch-CVE-2015-3456
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xentools45/patches/patch-CVE-2015-3456 Sat Jun 13 09:13:41 2015 +0000
@@ -0,0 +1,131 @@
+$NetBSD: patch-CVE-2015-3456,v 1.1.2.2 2015/06/13 09:13:41 spz Exp $
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse%redhat.com@localhost>
+Reviewed-by: John Snow <jsnow%redhat.com@localhost>
+
+--- qemu-xen/hw/block/fdc.c
++++ qemu-xen/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--- qemu-xen-traditional/hw/fdc.c
++++ qemu-xen-traditional/hw/fdc.c
+@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+ {
+ fdrive_t *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+ fdrive_t *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+ fdrive_t *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
Home |
Main Index |
Thread Index |
Old Index