diff options
author | spz <spz@pkgsrc.org> | 2015-06-13 09:13:34 +0000 |
---|---|---|
committer | spz <spz@pkgsrc.org> | 2015-06-13 09:13:34 +0000 |
commit | 9baca2d1f7fa9a9237d08f4ac82b55f06badf2ca (patch) | |
tree | 2695e3744be121f05584c61689718620a41f58c1 | |
parent | e37b7f8db460ba7f1983b7a70a4ad766629643ee (diff) | |
download | pkgsrc-9baca2d1f7fa9a9237d08f4ac82b55f06badf2ca.tar.gz |
Pullup ticket #4743 - requested by khorben
sysutils/xenkernel45: security patch
Revisions pulled up:
- sysutils/xenkernel45/Makefile 1.8
- sysutils/xenkernel45/distinfo 1.7
- sysutils/xenkernel45/patches/patch-CVE-2015-3456 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: khorben
Date: Fri Jun 5 17:15:04 UTC 2015
Modified Files:
pkgsrc/sysutils/xenkernel45: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel45/patches: patch-CVE-2015-3456
Log Message:
Apply fixes from upstream for XSA-133
Privilege escalation via emulated floppy disk drive
The code in qemu which emulates a floppy disk controller did not
correctly bounds check accesses to an array and therefore was
vulnerable to a buffer overflow attack.
A guest which has access to an emulated floppy device can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.
All Xen systems running x86 HVM guests without stubdomains are
vulnerable to this depending on the specific guest configuration. The
default configuration is vulnerable.
Guests using either the traditional "qemu-xen" or upstream qemu device
models are vulnerable.
Guests using a qemu-dm stubdomain to run the device model are only
vulnerable to takeover of that service domain.
Systems running only x86 PV guests are not vulnerable.
ARM systems are not vulnerable.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/xenkernel45/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/xenkernel45/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel45/patches/patch-CVE-2015-3456
-rw-r--r-- | sysutils/xenkernel45/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xenkernel45/distinfo | 3 | ||||
-rw-r--r-- | sysutils/xenkernel45/patches/patch-CVE-2015-3456 | 131 |
3 files changed, 135 insertions, 3 deletions
diff --git a/sysutils/xenkernel45/Makefile b/sysutils/xenkernel45/Makefile index 134ac29dd51..90683e07f32 100644 --- a/sysutils/xenkernel45/Makefile +++ b/sysutils/xenkernel45/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.5.2.2 2015/04/29 21:16:43 tron Exp $ +# $NetBSD: Makefile,v 1.5.2.3 2015/06/13 09:13:34 spz Exp $ VERSION= 4.5.0 DISTNAME= xen-${VERSION} PKGNAME= xenkernel45-${VERSION} -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel45/distinfo b/sysutils/xenkernel45/distinfo index 0b62a92619e..bccb2ade1d2 100644 --- a/sysutils/xenkernel45/distinfo +++ b/sysutils/xenkernel45/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.4.2.2 2015/04/29 21:16:43 tron Exp $ +$NetBSD: distinfo,v 1.4.2.3 2015/06/13 09:13:34 spz Exp $ SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637 RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45 @@ -9,6 +9,7 @@ SHA1 (patch-CVE-2015-2151) = 30344d233eade872fa7062493d754f8bccaf9d2a SHA1 (patch-CVE-2015-2751) = b0ab727ae01291a0e4ea2efe3931b6cd00df1a39 SHA1 (patch-CVE-2015-2752) = 390edab296a91c83197205dce7030cbdd60e0d78 SHA1 (patch-CVE-2015-2756) = e76490b858e213d09d326b413004d29a7e177b20 +SHA1 (patch-CVE-2015-3456) = c81924ca3b562f8cc64a3dcce81fe730e838910a SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 diff --git a/sysutils/xenkernel45/patches/patch-CVE-2015-3456 b/sysutils/xenkernel45/patches/patch-CVE-2015-3456 new file mode 100644 index 00000000000..6dd5063299d --- /dev/null +++ b/sysutils/xenkernel45/patches/patch-CVE-2015-3456 @@ -0,0 +1,131 @@ +$NetBSD: patch-CVE-2015-3456,v 1.1.2.2 2015/06/13 09:13:34 spz Exp $ + +fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> + +--- tools/qemu-xen/hw/block/fdc.c ++++ tools/qemu-xen/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +--- tools/qemu-xen-traditional/hw/fdc.c ++++ tools/qemu-xen-traditional/hw/fdc.c +@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) + { + fdrive_t *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) + { + fdrive_t *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + { + fdrive_t *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command |