diff options
Diffstat (limited to 'emulators')
| -rw-r--r-- | emulators/qemu/Makefile | 3 | ||||
| -rw-r--r-- | emulators/qemu/distinfo | 3 | ||||
| -rw-r--r-- | emulators/qemu/patches/patch-hw_block_fdc.c | 71 |
3 files changed, 75 insertions, 2 deletions
diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile index 21e0d28e6b4..6dfacc3fab1 100644 --- a/emulators/qemu/Makefile +++ b/emulators/qemu/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.137 2015/04/29 20:30:53 ryoon Exp $ +# $NetBSD: Makefile,v 1.138 2015/05/16 03:19:54 khorben Exp $ DISTNAME= qemu-2.3.0 +PKGREVISION= 1 CATEGORIES= emulators MASTER_SITES= http://wiki.qemu.org/download/ EXTRACT_SUFX= .tar.bz2 diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo index 20f0b5bd64a..f2d3be2ef36 100644 --- a/emulators/qemu/distinfo +++ b/emulators/qemu/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.103 2015/04/29 20:30:53 ryoon Exp $ +$NetBSD: distinfo,v 1.104 2015/05/16 03:19:54 khorben Exp $ SHA1 (qemu-2.3.0.tar.bz2) = 373d74bfafce1ca45f85195190d0a5e22b29299e RMD160 (qemu-2.3.0.tar.bz2) = cb203bf3faa316c9eb4ceeb975441deab6f9b2f7 @@ -6,6 +6,7 @@ Size (qemu-2.3.0.tar.bz2) = 24683085 bytes SHA1 (patch-configure) = 2d0d2549056c9f53a932b236ed4d69a5ee58a856 SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a SHA1 (patch-et) = 036e1a254ce40df635dfb6107d2707879467e127 +SHA1 (patch-hw_block_fdc.c) = a49f714266b767953d78aa42492cde3ba4ecb06a SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420 SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7 diff --git a/emulators/qemu/patches/patch-hw_block_fdc.c b/emulators/qemu/patches/patch-hw_block_fdc.c new file mode 100644 index 00000000000..baf23a3e69f --- /dev/null +++ b/emulators/qemu/patches/patch-hw_block_fdc.c @@ -0,0 +1,71 @@ +$NetBSD: patch-hw_block_fdc.c,v 1.1 2015/05/16 03:19:54 khorben Exp $ + +fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +--- hw/block/fdc.c.orig 2015-04-27 14:08:23.000000000 +0000 ++++ hw/block/fdc.c +@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fd + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command |