Pullup ticket #4743 - requested by khorben

sysutils/xenkernel45: security patch

Revisions pulled up:
- sysutils/xenkernel45/Makefile                                 1.8
- sysutils/xenkernel45/distinfo                                 1.7
- sysutils/xenkernel45/patches/patch-CVE-2015-3456              1.1

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	khorben
   Date:		Fri Jun  5 17:15:04 UTC 2015

   Modified Files:
   	pkgsrc/sysutils/xenkernel45: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xenkernel45/patches: patch-CVE-2015-3456

   Log Message:
   Apply fixes from upstream for XSA-133

   Privilege escalation via emulated floppy disk drive

   The code in qemu which emulates a floppy disk controller did not
   correctly bounds check accesses to an array and therefore was
   vulnerable to a buffer overflow attack.

   A guest which has access to an emulated floppy device can exploit this
   vulnerability to take over the qemu process elevating its privilege to
   that of the qemu process.

   All Xen systems running x86 HVM guests without stubdomains are
   vulnerable to this depending on the specific guest configuration. The
   default configuration is vulnerable.

   Guests using either the traditional "qemu-xen" or upstream qemu device
   models are vulnerable.
   Guests using a qemu-dm stubdomain to run the device model are only
   vulnerable to takeover of that service domain.

   Systems running only x86 PV guests are not vulnerable.
   ARM systems are not vulnerable.


   To generate a diff of this commit:
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/xenkernel45/Makefile
   cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/xenkernel45/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel45/patches/patch-CVE-2015-3456

3 files changed, 135 insertions, 3 deletions

diff --git a/sysutils/xenkernel45/Makefile b/sysutils/xenkernel45/Makefile
index 134ac29dd51..90683e07f32 100644
--- a/sysutils/xenkernel45/Makefile
+++ b/sysutils/xenkernel45/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.5.2.2 2015/04/29 21:16:43 tron Exp $
+# $NetBSD: Makefile,v 1.5.2.3 2015/06/13 09:13:34 spz Exp $
 
 VERSION=	4.5.0
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel45-${VERSION}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel45/distinfo b/sysutils/xenkernel45/distinfo
index 0b62a92619e..bccb2ade1d2 100644
--- a/sysutils/xenkernel45/distinfo
+++ b/sysutils/xenkernel45/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4.2.2 2015/04/29 21:16:43 tron Exp $
+$NetBSD: distinfo,v 1.4.2.3 2015/06/13 09:13:34 spz Exp $
 
 SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637
 RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45
@@ -9,6 +9,7 @@ SHA1 (patch-CVE-2015-2151) = 30344d233eade872fa7062493d754f8bccaf9d2a
 SHA1 (patch-CVE-2015-2751) = b0ab727ae01291a0e4ea2efe3931b6cd00df1a39
 SHA1 (patch-CVE-2015-2752) = 390edab296a91c83197205dce7030cbdd60e0d78
 SHA1 (patch-CVE-2015-2756) = e76490b858e213d09d326b413004d29a7e177b20
+SHA1 (patch-CVE-2015-3456) = c81924ca3b562f8cc64a3dcce81fe730e838910a
 SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
 SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe
 SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
diff --git a/sysutils/xenkernel45/patches/patch-CVE-2015-3456 b/sysutils/xenkernel45/patches/patch-CVE-2015-3456
new file mode 100644
index 00000000000..6dd5063299d
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-CVE-2015-3456
@@ -0,0 +1,131 @@
+$NetBSD: patch-CVE-2015-3456,v 1.1.2.2 2015/06/13 09:13:34 spz Exp $
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+
+--- tools/qemu-xen/hw/block/fdc.c
++++ tools/qemu-xen/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+--- tools/qemu-xen-traditional/hw/fdc.c
++++ tools/qemu-xen-traditional/hw/fdc.c
+@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+ {
+     fdrive_t *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+     fdrive_t *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+     fdrive_t *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command