Pullup ticket #4728 - requested by khorben

emulators/qemu: security patch

Revisions pulled up:
- emulators/qemu/Makefile                               1.138,1.137 via patch
- emulators/qemu/distinfo                               1.104,1.103
- emulators/qemu/patches/patch-hw_block_fdc.c           1.1
- emulators/qemu/patches/patch-tests_Makefile           1.2
- emulators/qemu/patches/patch-user-exec.c              deleted

---
   Module Name:	pkgsrc
   Committed By:	khorben
   Date:		Sat May 16 03:19:54 UTC 2015

   Modified Files:
   	pkgsrc/emulators/qemu: Makefile distinfo
   Added Files:
   	pkgsrc/emulators/qemu/patches: patch-hw_block_fdc.c

   Log Message:
   Add patch for CVE-2015-3456.

   fdc: force the fifo access to be in bounds of the allocated buffer

   During processing of certain commands such as FD_CMD_READ_ID and
   FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
   get out of bounds leading to memory corruption with values coming
   from the guest.

   Fix this by making sure that the index is always bounded by the
   allocated memory.

   XXX pull-up where applicable

---
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Wed Apr 29 20:30:53 UTC 2015

   Modified Files:
   	pkgsrc/emulators/qemu: Makefile distinfo
   	pkgsrc/emulators/qemu/patches: patch-tests_Makefile
   Removed Files:
   	pkgsrc/emulators/qemu/patches: patch-user-exec.c

   Log Message:
   Update to 2.3.0

   Changelog:
    * Support for 32-bit KVM guests on 64-bit ARM hosts
    * Support for running KVM under valgrind
    * New IvyBridge CPU model for x86 guests
    * Xen: support for ioreq-server API
    * New 5KEc and 5KEf MIPS64r2, and M14K and M14Kc MIPS32r2
      microMIPS CPU models for MIPS guests
    * Basic support for transactional memory extentions in PowerPC guests
    * Improved VGA support for little-endian PPC/pSeries guests
    * PCI bus support for s390x guests
    * Support for automatic guest device unplug when passthrough devices
      are unbound from VFIO host driver
    * Improved UI performance/support for GTK+/VNC/SDL/Spice, and VNC
      support for multiseat
    * Performance improvements for virtio-blk emulation: asynchronous SCSI
      request handling, and disk read merging.
    * QEMU Guest Agent: now also supports file operations in Windows guests,
      can be used to enable/disable memory blocks in linux guests in
      support for memory hotplug.
    * Migration can now include a JSON description of migration stream to aid
      in identifying incompatibilities betweens guests/hosts.
    * And lots more...

3 files changed, 75 insertions, 2 deletions

diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index fa4c8fcf92e..b77bd589cb0 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.135 2015/03/13 09:09:12 ryoon Exp $
+# $NetBSD: Makefile,v 1.135.2.1 2015/05/20 20:32:05 tron Exp $
 
 DISTNAME=	qemu-2.2.1
+PKGREVISION=	1
 CATEGORIES=	emulators
 MASTER_SITES=	http://wiki.qemu.org/download/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo
index c2d58639a45..81ccb4e1364 100644
--- a/emulators/qemu/distinfo
+++ b/emulators/qemu/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.102 2015/03/13 09:09:12 ryoon Exp $
+$NetBSD: distinfo,v 1.102.2.1 2015/05/20 20:32:05 tron Exp $
 
 SHA1 (qemu-2.2.1.tar.bz2) = 4d1cefc9861fb90979497e8c0bffd223103aa240
 RMD160 (qemu-2.2.1.tar.bz2) = 53430a4cc637f6579cce2e29cb72f3af292c793b
@@ -6,6 +6,7 @@ Size (qemu-2.2.1.tar.bz2) = 24483500 bytes
 SHA1 (patch-configure) = 2d0d2549056c9f53a932b236ed4d69a5ee58a856
 SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a
 SHA1 (patch-et) = 036e1a254ce40df635dfb6107d2707879467e127
+SHA1 (patch-hw_block_fdc.c) = a49f714266b767953d78aa42492cde3ba4ecb06a
 SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420
 SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc
 SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7
diff --git a/emulators/qemu/patches/patch-hw_block_fdc.c b/emulators/qemu/patches/patch-hw_block_fdc.c
new file mode 100644
index 00000000000..af3089f58ec
--- /dev/null
+++ b/emulators/qemu/patches/patch-hw_block_fdc.c
@@ -0,0 +1,71 @@
+$NetBSD: patch-hw_block_fdc.c,v 1.1.2.2 2015/05/20 20:32:06 tron Exp $
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+--- hw/block/fdc.c.orig	2015-04-27 14:08:23.000000000 +0000
++++ hw/block/fdc.c
+@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl 
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl 
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl 
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fd
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command