diff options
author | khorben <khorben@pkgsrc.org> | 2015-05-16 03:19:54 +0000 |
---|---|---|
committer | khorben <khorben@pkgsrc.org> | 2015-05-16 03:19:54 +0000 |
commit | 8c87f724adf704494abc276a2a85639bb57d19d4 (patch) | |
tree | a37a194f3ba59f40835e64aa29c7639b49be57d5 /emulators | |
parent | e71198c5cd6bc6ca09ca4bdf3000331598250f4c (diff) | |
download | pkgsrc-8c87f724adf704494abc276a2a85639bb57d19d4.tar.gz |
Add patch for CVE-2015-3456.
fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
XXX pull-up where applicable
Diffstat (limited to 'emulators')
-rw-r--r-- | emulators/qemu/Makefile | 3 | ||||
-rw-r--r-- | emulators/qemu/distinfo | 3 | ||||
-rw-r--r-- | emulators/qemu/patches/patch-hw_block_fdc.c | 71 |
3 files changed, 75 insertions, 2 deletions
diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile index 21e0d28e6b4..6dfacc3fab1 100644 --- a/emulators/qemu/Makefile +++ b/emulators/qemu/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.137 2015/04/29 20:30:53 ryoon Exp $ +# $NetBSD: Makefile,v 1.138 2015/05/16 03:19:54 khorben Exp $ DISTNAME= qemu-2.3.0 +PKGREVISION= 1 CATEGORIES= emulators MASTER_SITES= http://wiki.qemu.org/download/ EXTRACT_SUFX= .tar.bz2 diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo index 20f0b5bd64a..f2d3be2ef36 100644 --- a/emulators/qemu/distinfo +++ b/emulators/qemu/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.103 2015/04/29 20:30:53 ryoon Exp $ +$NetBSD: distinfo,v 1.104 2015/05/16 03:19:54 khorben Exp $ SHA1 (qemu-2.3.0.tar.bz2) = 373d74bfafce1ca45f85195190d0a5e22b29299e RMD160 (qemu-2.3.0.tar.bz2) = cb203bf3faa316c9eb4ceeb975441deab6f9b2f7 @@ -6,6 +6,7 @@ Size (qemu-2.3.0.tar.bz2) = 24683085 bytes SHA1 (patch-configure) = 2d0d2549056c9f53a932b236ed4d69a5ee58a856 SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a SHA1 (patch-et) = 036e1a254ce40df635dfb6107d2707879467e127 +SHA1 (patch-hw_block_fdc.c) = a49f714266b767953d78aa42492cde3ba4ecb06a SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420 SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7 diff --git a/emulators/qemu/patches/patch-hw_block_fdc.c b/emulators/qemu/patches/patch-hw_block_fdc.c new file mode 100644 index 00000000000..baf23a3e69f --- /dev/null +++ b/emulators/qemu/patches/patch-hw_block_fdc.c @@ -0,0 +1,71 @@ +$NetBSD: patch-hw_block_fdc.c,v 1.1 2015/05/16 03:19:54 khorben Exp $ + +fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +--- hw/block/fdc.c.orig 2015-04-27 14:08:23.000000000 +0000 ++++ hw/block/fdc.c +@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fd + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command |