pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/emulators/qemu Add patch for CVE-2015-3456.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/a5204894c56e
branches:  trunk
changeset: 651865:a5204894c56e
user:      khorben <khorben%pkgsrc.org@localhost>
date:      Sat May 16 03:19:54 2015 +0000

description:
Add patch for CVE-2015-3456.

fdc: force the fifo access to be in bounds of the allocated buffer

During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.

Fix this by making sure that the index is always bounded by the
allocated memory.

XXX pull-up where applicable

diffstat:

 emulators/qemu/Makefile                     |   3 +-
 emulators/qemu/distinfo                     |   3 +-
 emulators/qemu/patches/patch-hw_block_fdc.c |  71 +++++++++++++++++++++++++++++
 3 files changed, 75 insertions(+), 2 deletions(-)

diffs (104 lines):

diff -r 3708a3545acb -r a5204894c56e emulators/qemu/Makefile
--- a/emulators/qemu/Makefile   Sat May 16 03:14:29 2015 +0000
+++ b/emulators/qemu/Makefile   Sat May 16 03:19:54 2015 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.137 2015/04/29 20:30:53 ryoon Exp $
+# $NetBSD: Makefile,v 1.138 2015/05/16 03:19:54 khorben Exp $
 
 DISTNAME=      qemu-2.3.0
+PKGREVISION=   1
 CATEGORIES=    emulators
 MASTER_SITES=  http://wiki.qemu.org/download/
 EXTRACT_SUFX=  .tar.bz2
diff -r 3708a3545acb -r a5204894c56e emulators/qemu/distinfo
--- a/emulators/qemu/distinfo   Sat May 16 03:14:29 2015 +0000
+++ b/emulators/qemu/distinfo   Sat May 16 03:19:54 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.103 2015/04/29 20:30:53 ryoon Exp $
+$NetBSD: distinfo,v 1.104 2015/05/16 03:19:54 khorben Exp $
 
 SHA1 (qemu-2.3.0.tar.bz2) = 373d74bfafce1ca45f85195190d0a5e22b29299e
 RMD160 (qemu-2.3.0.tar.bz2) = cb203bf3faa316c9eb4ceeb975441deab6f9b2f7
@@ -6,6 +6,7 @@
 SHA1 (patch-configure) = 2d0d2549056c9f53a932b236ed4d69a5ee58a856
 SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a
 SHA1 (patch-et) = 036e1a254ce40df635dfb6107d2707879467e127
+SHA1 (patch-hw_block_fdc.c) = a49f714266b767953d78aa42492cde3ba4ecb06a
 SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420
 SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc
 SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7
diff -r 3708a3545acb -r a5204894c56e emulators/qemu/patches/patch-hw_block_fdc.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/emulators/qemu/patches/patch-hw_block_fdc.c       Sat May 16 03:19:54 2015 +0000
@@ -0,0 +1,71 @@
+$NetBSD: patch-hw_block_fdc.c,v 1.1 2015/05/16 03:19:54 khorben Exp $
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+--- hw/block/fdc.c.orig        2015-04-27 14:08:23.000000000 +0000
++++ hw/block/fdc.c
+@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl 
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl 
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl 
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fd
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command



Home | Main Index | Thread Index | Old Index