pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/sysutils/xenkernel45 Apply fixes from upstream for XSA...
details: https://anonhg.NetBSD.org/pkgsrc/rev/8e492b693b48
branches: trunk
changeset: 652627:8e492b693b48
user: khorben <khorben%pkgsrc.org@localhost>
date: Fri Jun 05 17:15:04 2015 +0000
description:
Apply fixes from upstream for XSA-133
Privilege escalation via emulated floppy disk drive
The code in qemu which emulates a floppy disk controller did not
correctly bounds check accesses to an array and therefore was
vulnerable to a buffer overflow attack.
A guest which has access to an emulated floppy device can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.
All Xen systems running x86 HVM guests without stubdomains are
vulnerable to this depending on the specific guest configuration. The
default configuration is vulnerable.
Guests using either the traditional "qemu-xen" or upstream qemu device
models are vulnerable.
Guests using a qemu-dm stubdomain to run the device model are only
vulnerable to takeover of that service domain.
Systems running only x86 PV guests are not vulnerable.
ARM systems are not vulnerable.
diffstat:
sysutils/xenkernel45/Makefile | 4 +-
sysutils/xenkernel45/distinfo | 3 +-
sysutils/xenkernel45/patches/patch-CVE-2015-3456 | 131 +++++++++++++++++++++++
3 files changed, 135 insertions(+), 3 deletions(-)
diffs (167 lines):
diff -r ca09d021074e -r 8e492b693b48 sysutils/xenkernel45/Makefile
--- a/sysutils/xenkernel45/Makefile Fri Jun 05 14:43:48 2015 +0000
+++ b/sysutils/xenkernel45/Makefile Fri Jun 05 17:15:04 2015 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.7 2015/04/19 15:02:12 spz Exp $
+# $NetBSD: Makefile,v 1.8 2015/06/05 17:15:04 khorben Exp $
VERSION= 4.5.0
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel45-${VERSION}
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff -r ca09d021074e -r 8e492b693b48 sysutils/xenkernel45/distinfo
--- a/sysutils/xenkernel45/distinfo Fri Jun 05 14:43:48 2015 +0000
+++ b/sysutils/xenkernel45/distinfo Fri Jun 05 17:15:04 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2015/04/19 15:02:12 spz Exp $
+$NetBSD: distinfo,v 1.7 2015/06/05 17:15:04 khorben Exp $
SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637
RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45
@@ -9,6 +9,7 @@
SHA1 (patch-CVE-2015-2751) = b0ab727ae01291a0e4ea2efe3931b6cd00df1a39
SHA1 (patch-CVE-2015-2752) = 390edab296a91c83197205dce7030cbdd60e0d78
SHA1 (patch-CVE-2015-2756) = e76490b858e213d09d326b413004d29a7e177b20
+SHA1 (patch-CVE-2015-3456) = c81924ca3b562f8cc64a3dcce81fe730e838910a
SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe
SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
diff -r ca09d021074e -r 8e492b693b48 sysutils/xenkernel45/patches/patch-CVE-2015-3456
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel45/patches/patch-CVE-2015-3456 Fri Jun 05 17:15:04 2015 +0000
@@ -0,0 +1,131 @@
+$NetBSD: patch-CVE-2015-3456,v 1.1 2015/06/05 17:15:04 khorben Exp $
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse%redhat.com@localhost>
+Reviewed-by: John Snow <jsnow%redhat.com@localhost>
+
+--- tools/qemu-xen/hw/block/fdc.c
++++ tools/qemu-xen/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--- tools/qemu-xen-traditional/hw/fdc.c
++++ tools/qemu-xen-traditional/hw/fdc.c
+@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+ {
+ fdrive_t *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+ fdrive_t *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+ fdrive_t *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
Home |
Main Index |
Thread Index |
Old Index