diff options
author | spz <spz@pkgsrc.org> | 2015-06-13 09:13:49 +0000 |
---|---|---|
committer | spz <spz@pkgsrc.org> | 2015-06-13 09:13:49 +0000 |
commit | a414a6e5d70ce7b712be3233d8b9f941785d5fa3 (patch) | |
tree | f3d198d995ddc3b67ca83ac757193360b4d77055 | |
parent | 3064915dc59f41d6f3ca5ac0320c6b8eb670d8be (diff) | |
download | pkgsrc-a414a6e5d70ce7b712be3233d8b9f941785d5fa3.tar.gz |
Pullup ticket #4745 - requested by khorben
sysutils/xenkernel42: security patch
Revisions pulled up:
- sysutils/xenkernel42/Makefile 1.16
- sysutils/xenkernel42/distinfo 1.14
- sysutils/xenkernel42/patches/patch-CVE-2015-3456 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: khorben
Date: Fri Jun 5 18:18:41 UTC 2015
Modified Files:
pkgsrc/sysutils/xenkernel42: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel42/patches: patch-CVE-2015-3456
Log Message:
Apply fixes from upstream for XSA-133
XXX pull-ups
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 pkgsrc/sysutils/xenkernel42/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/sysutils/xenkernel42/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/sysutils/xenkernel42/patches/patch-CVE-2015-3456
-rw-r--r-- | sysutils/xenkernel42/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xenkernel42/distinfo | 3 | ||||
-rw-r--r-- | sysutils/xenkernel42/patches/patch-CVE-2015-3456 | 131 |
3 files changed, 135 insertions, 3 deletions
diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile index 52ac234e8d4..3dfa189ec59 100644 --- a/sysutils/xenkernel42/Makefile +++ b/sysutils/xenkernel42/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.14.2.1 2015/04/29 21:11:12 tron Exp $ +# $NetBSD: Makefile,v 1.14.2.2 2015/06/13 09:13:49 spz Exp $ VERSION= 4.2.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel42-${VERSION} -PKGREVISION= 6 +PKGREVISION= 7 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo index aa7c41880a4..c144b33678f 100644 --- a/sysutils/xenkernel42/distinfo +++ b/sysutils/xenkernel42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.12.2.1 2015/04/29 21:11:12 tron Exp $ +$NetBSD: distinfo,v 1.12.2.2 2015/06/13 09:13:49 spz Exp $ SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19 @@ -13,6 +13,7 @@ SHA1 (patch-CVE-2015-2045) = f70839fabd4ef9086c8fb808e4f3448a8e844c98 SHA1 (patch-CVE-2015-2151) = df05750b86331b88102b41f065c314c38c6bc396 SHA1 (patch-CVE-2015-2752) = 62547b55385aaf54af23270939fe086b996d5744 SHA1 (patch-CVE-2015-2756) = cb1be46c28e6f88c13fc0d26ff0606bdb877283c +SHA1 (patch-CVE-2015-3456) = 8d54d33b81ef77056aa6f58ab123912948454020 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-3456 b/sysutils/xenkernel42/patches/patch-CVE-2015-3456 new file mode 100644 index 00000000000..205e7bbfa95 --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-CVE-2015-3456 @@ -0,0 +1,131 @@ +$NetBSD: patch-CVE-2015-3456,v 1.1.2.2 2015/06/13 09:13:49 spz Exp $ + +fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> + +--- tools/qemu-xen/hw/fdc.c.orig ++++ tools/qemu-xen/hw/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +--- tools/qemu-xen-traditional/hw/fdc.c.orig ++++ tools/qemu-xen-traditional/hw/fdc.c +@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) + { + fdrive_t *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) + { + fdrive_t *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + { + fdrive_t *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command |