pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2015Q1]: pkgsrc/emulators/qemu Pullup ticket #4728 - requested...
details: https://anonhg.NetBSD.org/pkgsrc/rev/4cbe8d2d28ce
branches: pkgsrc-2015Q1
changeset: 649255:4cbe8d2d28ce
user: tron <tron%pkgsrc.org@localhost>
date: Wed May 20 20:32:05 2015 +0000
description:
Pullup ticket #4728 - requested by khorben
emulators/qemu: security patch
Revisions pulled up:
- emulators/qemu/Makefile 1.138,1.137 via patch
- emulators/qemu/distinfo 1.104,1.103
- emulators/qemu/patches/patch-hw_block_fdc.c 1.1
- emulators/qemu/patches/patch-tests_Makefile 1.2
- emulators/qemu/patches/patch-user-exec.c deleted
---
Module Name: pkgsrc
Committed By: khorben
Date: Sat May 16 03:19:54 UTC 2015
Modified Files:
pkgsrc/emulators/qemu: Makefile distinfo
Added Files:
pkgsrc/emulators/qemu/patches: patch-hw_block_fdc.c
Log Message:
Add patch for CVE-2015-3456.
fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
XXX pull-up where applicable
---
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Apr 29 20:30:53 UTC 2015
Modified Files:
pkgsrc/emulators/qemu: Makefile distinfo
pkgsrc/emulators/qemu/patches: patch-tests_Makefile
Removed Files:
pkgsrc/emulators/qemu/patches: patch-user-exec.c
Log Message:
Update to 2.3.0
Changelog:
* Support for 32-bit KVM guests on 64-bit ARM hosts
* Support for running KVM under valgrind
* New IvyBridge CPU model for x86 guests
* Xen: support for ioreq-server API
* New 5KEc and 5KEf MIPS64r2, and M14K and M14Kc MIPS32r2
microMIPS CPU models for MIPS guests
* Basic support for transactional memory extentions in PowerPC guests
* Improved VGA support for little-endian PPC/pSeries guests
* PCI bus support for s390x guests
* Support for automatic guest device unplug when passthrough devices
are unbound from VFIO host driver
* Improved UI performance/support for GTK+/VNC/SDL/Spice, and VNC
support for multiseat
* Performance improvements for virtio-blk emulation: asynchronous SCSI
request handling, and disk read merging.
* QEMU Guest Agent: now also supports file operations in Windows guests,
can be used to enable/disable memory blocks in linux guests in
support for memory hotplug.
* Migration can now include a JSON description of migration stream to aid
in identifying incompatibilities betweens guests/hosts.
* And lots more...
diffstat:
emulators/qemu/Makefile | 3 +-
emulators/qemu/distinfo | 3 +-
emulators/qemu/patches/patch-hw_block_fdc.c | 71 +++++++++++++++++++++++++++++
3 files changed, 75 insertions(+), 2 deletions(-)
diffs (104 lines):
diff -r 9495143a4ce4 -r 4cbe8d2d28ce emulators/qemu/Makefile
--- a/emulators/qemu/Makefile Tue May 19 18:04:30 2015 +0000
+++ b/emulators/qemu/Makefile Wed May 20 20:32:05 2015 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.135 2015/03/13 09:09:12 ryoon Exp $
+# $NetBSD: Makefile,v 1.135.2.1 2015/05/20 20:32:05 tron Exp $
DISTNAME= qemu-2.2.1
+PKGREVISION= 1
CATEGORIES= emulators
MASTER_SITES= http://wiki.qemu.org/download/
EXTRACT_SUFX= .tar.bz2
diff -r 9495143a4ce4 -r 4cbe8d2d28ce emulators/qemu/distinfo
--- a/emulators/qemu/distinfo Tue May 19 18:04:30 2015 +0000
+++ b/emulators/qemu/distinfo Wed May 20 20:32:05 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.102 2015/03/13 09:09:12 ryoon Exp $
+$NetBSD: distinfo,v 1.102.2.1 2015/05/20 20:32:05 tron Exp $
SHA1 (qemu-2.2.1.tar.bz2) = 4d1cefc9861fb90979497e8c0bffd223103aa240
RMD160 (qemu-2.2.1.tar.bz2) = 53430a4cc637f6579cce2e29cb72f3af292c793b
@@ -6,6 +6,7 @@
SHA1 (patch-configure) = 2d0d2549056c9f53a932b236ed4d69a5ee58a856
SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a
SHA1 (patch-et) = 036e1a254ce40df635dfb6107d2707879467e127
+SHA1 (patch-hw_block_fdc.c) = a49f714266b767953d78aa42492cde3ba4ecb06a
SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420
SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc
SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7
diff -r 9495143a4ce4 -r 4cbe8d2d28ce emulators/qemu/patches/patch-hw_block_fdc.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/emulators/qemu/patches/patch-hw_block_fdc.c Wed May 20 20:32:05 2015 +0000
@@ -0,0 +1,71 @@
+$NetBSD: patch-hw_block_fdc.c,v 1.1.2.2 2015/05/20 20:32:06 tron Exp $
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+--- hw/block/fdc.c.orig 2015-04-27 14:08:23.000000000 +0000
++++ hw/block/fdc.c
+@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fd
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
Home |
Main Index |
Thread Index |
Old Index