pool/qemu
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/qemu?expand=0&rev=10

Browse Source
This commit is contained in:
OBS User unknown 2007-06-20 09:57:07 +00:00 committed by Git OBS Bridge
parent ffcd1677cd
commit e1996e39e3
3 changed files with 390 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

380
bug-252519_goo-qemu-sec-0.9.0.diff Normal file
View File

@ -0,0 +1,380 @@
diff -rpu qemu-0.9.0.orig/block.c qemu-0.9.0/block.c
--- qemu-0.9.0.orig/block.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/block.c 2007-02-20 22:41:03.000000000 +0000
@@ -539,13 +539,22 @@ int bdrv_write(BlockDriverState *bs, int
return -ENOMEDIUM;
if (bs->read_only)
return -EACCES;
+ if (sector_num < 0)
+ return -EINVAL;
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
memcpy(bs->boot_sector_data, buf, 512);
}
if (drv->bdrv_pwrite) {
int ret, len;
+ unsigned ns;
+
+ ns = sector_num * 512;
len = nb_sectors * 512;
- ret = drv->bdrv_pwrite(bs, sector_num * 512, buf, len);
+
+ if (ns < 0)
+ return -EINVAL;
+
+ ret = drv->bdrv_pwrite(bs, ns, buf, len);
if (ret < 0)
return ret;
else if (ret != len)
diff -rpu qemu-0.9.0.orig/hw/cirrus_vga.c qemu-0.9.0/hw/cirrus_vga.c
--- qemu-0.9.0.orig/hw/cirrus_vga.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/hw/cirrus_vga.c 2007-02-21 17:00:09.585042632 +0000
@@ -217,6 +217,20 @@
#define CIRRUS_HOOK_NOT_HANDLED 0
#define CIRRUS_HOOK_HANDLED 1
+#define BLTUNSAFE(s) \
+ ( \
+ ( /* check dst is within bounds */ \
+ (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
+ + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
+ (s)->vram_size \
+ ) || \
+ ( /* check src is within bounds */ \
+ (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
+ + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
+ (s)->vram_size \
+ ) \
+ )
+
struct CirrusVGAState;
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
uint8_t * dst, const uint8_t * src,
@@ -589,7 +603,7 @@ static void cirrus_invalidate_region(Cir
for (y = 0; y < lines; y++) {
off_cur = off_begin;
- off_cur_end = off_cur + bytesperline;
+ off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
off_cur &= TARGET_PAGE_MASK;
while (off_cur < off_cur_end) {
cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
@@ -604,7 +618,11 @@ static int cirrus_bitblt_common_patternc
{
uint8_t *dst;
- dst = s->vram_ptr + s->cirrus_blt_dstaddr;
+ dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+
+ if (BLTUNSAFE(s))
+ return 0;
+
(*s->cirrus_rop) (s, dst, src,
s->cirrus_blt_dstpitch, 0,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -620,8 +638,11 @@ static int cirrus_bitblt_solidfill(Cirru
{
cirrus_fill_t rop_func;
+ if (BLTUNSAFE(s))
+ return 0;
+
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
- rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr,
+ rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
@@ -640,8 +661,8 @@ static int cirrus_bitblt_solidfill(Cirru
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
{
return cirrus_bitblt_common_patterncopy(s,
- s->vram_ptr +
- (s->cirrus_blt_srcaddr & ~7));
+ s->vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
+ s->cirrus_addr_mask));
}
static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
@@ -691,8 +712,10 @@ static void cirrus_do_copy(CirrusVGAStat
if (notify)
vga_hw_update();
- (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->vram_ptr + s->cirrus_blt_srcaddr,
+ (*s->cirrus_rop) (s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->vram_ptr +
+ (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -718,8 +741,14 @@ static int cirrus_bitblt_videotovideo_co
s->cirrus_blt_srcaddr - s->start_addr,
s->cirrus_blt_width, s->cirrus_blt_height);
} else {
- (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->vram_ptr + s->cirrus_blt_srcaddr,
+
+ if (BLTUNSAFE(s))
+ return 0;
+
+ (*s->cirrus_rop) (s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->vram_ptr +
+ (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -751,8 +780,9 @@ static void cirrus_bitblt_cputovideo_nex
} else {
/* at least one scan line */
do {
- (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
+ (*s->cirrus_rop)(s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
s->cirrus_blt_width, 1);
s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
@@ -1857,7 +1887,7 @@ static void cirrus_mem_writeb_mode4and5_
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vram_ptr + offset;
+ dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
@@ -1880,7 +1910,7 @@ static void cirrus_mem_writeb_mode4and5_
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vram_ptr + offset;
+ dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
diff -rpu qemu-0.9.0.orig/hw/cirrus_vga_rop.h qemu-0.9.0/hw/cirrus_vga_rop.h
--- qemu-0.9.0.orig/hw/cirrus_vga_rop.h 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/hw/cirrus_vga_rop.h 2007-02-21 01:45:32.000000000 +0000
@@ -31,6 +31,12 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C
int x,y;
dstpitch -= bltwidth;
srcpitch -= bltwidth;
+
+ if (dstpitch < 0 || srcpitch < 0) {
+ /* is 0 valid? srcpitch == 0 could be useful */
+ return;
+ }
+
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
ROP_OP(*dst, *src);
diff -rpu qemu-0.9.0.orig/hw/dma.c qemu-0.9.0/hw/dma.c
--- qemu-0.9.0.orig/hw/dma.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/hw/dma.c 2007-02-20 21:53:41.000000000 +0000
@@ -340,9 +340,11 @@ static void channel_run (int ncont, int
#endif
r = dma_controllers[ncont].regs + ichan;
- n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
- r->now[COUNT], (r->base[COUNT] + 1) << ncont);
- r->now[COUNT] = n;
+ if (r->transfer_handler) {
+ n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
+ r->now[COUNT], (r->base[COUNT] + 1) << ncont);
+ r->now[COUNT] = n;
+ }
ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
}
diff -rpu qemu-0.9.0.orig/hw/fdc.c qemu-0.9.0/hw/fdc.c
--- qemu-0.9.0.orig/hw/fdc.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/hw/fdc.c 2007-02-20 23:41:01.000000000 +0000
@@ -1100,8 +1100,13 @@ static uint32_t fdctrl_read_data (fdctrl
len = fdctrl->data_len - fdctrl->data_pos;
if (len > FD_SECTOR_LEN)
len = FD_SECTOR_LEN;
- bdrv_read(cur_drv->bs, fd_sector(cur_drv),
- fdctrl->fifo, len);
+ if (cur_drv->bs) {
+ bdrv_read(cur_drv->bs, fd_sector(cur_drv),
+ fdctrl->fifo, len);
+ } else {
+ FLOPPY_ERROR("can't read data from drive\n");
+ return 0;
+ }
}
}
retval = fdctrl->fifo[pos];
diff -rpu qemu-0.9.0.orig/hw/i8259.c qemu-0.9.0/hw/i8259.c
--- qemu-0.9.0.orig/hw/i8259.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/hw/i8259.c 2007-02-20 21:53:41.000000000 +0000
@@ -299,9 +299,11 @@ static void pic_ioport_write(void *opaqu
s->init_state = 1;
s->init4 = val & 1;
if (val & 0x02)
- hw_error("single mode not supported");
+ /* hw_error("single mode not supported"); */
+ return;
if (val & 0x08)
- hw_error("level sensitive irq not supported");
+ /* hw_error("level sensitive irq not supported"); */
+ return;
} else if (val & 0x08) {
if (val & 0x04)
s->poll = 1;
diff -rpu qemu-0.9.0.orig/hw/ne2000.c qemu-0.9.0/hw/ne2000.c
--- qemu-0.9.0.orig/hw/ne2000.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/hw/ne2000.c 2007-02-20 21:53:41.000000000 +0000
@@ -230,7 +230,7 @@ static void ne2000_receive(void *opaque,
{
NE2000State *s = opaque;
uint8_t *p;
- int total_len, next, avail, len, index, mcast_idx;
+ unsigned int total_len, next, avail, len, index, mcast_idx;
uint8_t buf1[60];
static const uint8_t broadcast_macaddr[6] =
{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -299,7 +299,11 @@ static void ne2000_receive(void *opaque,
/* write packet data */
while (size > 0) {
- avail = s->stop - index;
+ /* taviso: this can wrap, so check its okay. */
+ if (index <= s->stop)
+ avail = s->stop - index;
+ else
+ avail = 0;
len = size;
if (len > avail)
len = avail;
diff -rpu qemu-0.9.0.orig/hw/pc.c qemu-0.9.0/hw/pc.c
--- qemu-0.9.0.orig/hw/pc.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/hw/pc.c 2007-02-20 21:53:41.000000000 +0000
@@ -299,7 +299,8 @@ void bochs_bios_write(void *opaque, uint
case 0x400:
case 0x401:
fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
- exit(1);
+ /* according to documentation, these can be safely ignored */
+ break;
case 0x402:
case 0x403:
#ifdef DEBUG_BIOS
@@ -322,8 +323,9 @@ void bochs_bios_write(void *opaque, uint
/* LGPL'ed VGA BIOS messages */
case 0x501:
case 0x502:
+ /* according to documentation, these can be safely ignored */
fprintf(stderr, "VGA BIOS panic, line %d\n", val);
- exit(1);
+ break;
case 0x500:
case 0x503:
#ifdef DEBUG_BIOS
diff -rpu qemu-0.9.0.orig/hw/sb16.c qemu-0.9.0/hw/sb16.c
--- qemu-0.9.0.orig/hw/sb16.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/hw/sb16.c 2007-02-20 21:53:41.000000000 +0000
@@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in
s->block_size);
#endif
- while (s->left_till_irq <= 0) {
- s->left_till_irq = s->block_size + s->left_till_irq;
+ if (s->block_size) {
+ while (s->left_till_irq <= 0) {
+ s->left_till_irq = s->block_size + s->left_till_irq;
+ }
}
return dma_pos;
diff -rpu qemu-0.9.0.orig/slirp/slirp.c qemu-0.9.0/slirp/slirp.c
--- qemu-0.9.0.orig/slirp/slirp.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/slirp/slirp.c 2007-02-20 21:53:41.000000000 +0000
@@ -611,6 +611,10 @@ void slirp_input(const uint8_t *pkt, int
if (!m)
return;
/* Note: we add to align the IP header */
+ /* taviso: large values in ne2k TCNT register may exceed msize on transmit */
+ if (M_FREEROOM(m) < pkt_len + 2) {
+ m_inc(m, pkt_len + 2);
+ }
m->m_len = pkt_len + 2;
memcpy(m->m_data + 2, pkt, pkt_len);
diff -rpu qemu-0.9.0.orig/target-i386/translate.c qemu-0.9.0/target-i386/translate.c
--- qemu-0.9.0.orig/target-i386/translate.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/target-i386/translate.c 2007-02-20 21:53:41.000000000 +0000
@@ -5326,7 +5326,12 @@ static target_ulong disas_insn(DisasCont
if (CODE64(s))
goto illegal_op;
val = ldub_code(s->pc++);
- gen_op_aam(val);
+ /* taviso: operand can be zero */
+ if (val) {
+ gen_op_aam(val);
+ } else {
+ gen_exception(s, EXCP00_DIVZ, s->pc - s->cs_base);
+ }
s->cc_op = CC_OP_LOGICB;
break;
case 0xd5: /* aad */
@@ -5374,6 +5379,7 @@ static target_ulong disas_insn(DisasCont
gen_jmp_im(pc_start - s->cs_base);
gen_op_into(s->pc - pc_start);
break;
+#ifdef WANT_ICEBP
case 0xf1: /* icebp (undocumented, exits to external debugger) */
#if 1
gen_debug(s, pc_start - s->cs_base);
@@ -5383,6 +5389,7 @@ static target_ulong disas_insn(DisasCont
cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM);
#endif
break;
+#endif /* icebp */
case 0xfa: /* cli */
if (!s->vm86) {
if (s->cpl <= s->iopl) {
diff -rpu qemu-0.9.0.orig/vl.c qemu-0.9.0/vl.c
--- qemu-0.9.0.orig/vl.c 2007-02-05 23:01:54.000000000 +0000
+++ qemu-0.9.0/vl.c 2007-02-20 21:53:41.000000000 +0000
@@ -3329,8 +3329,8 @@ typedef struct NetSocketState {
VLANClientState *vc;
int fd;
int state; /* 0 = getting length, 1 = getting data */
- int index;
- int packet_len;
+ unsigned int index;
+ unsigned int packet_len;
uint8_t buf[4096];
struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
} NetSocketState;
@@ -3361,7 +3361,8 @@ static void net_socket_receive_dgram(voi
static void net_socket_send(void *opaque)
{
NetSocketState *s = opaque;
- int l, size, err;
+ int size, err;
+ unsigned l;
uint8_t buf1[4096];
const uint8_t *buf;
@@ -3400,7 +3401,15 @@ static void net_socket_send(void *opaque
l = s->packet_len - s->index;
if (l > size)
l = size;
- memcpy(s->buf + s->index, buf, l);
+ if (s->index + l <= sizeof(s->buf)) {
+ memcpy(s->buf + s->index, buf, l);
+ } else {
+ fprintf(stderr, "serious error: oversized packet received,"
+ "connection terminated.\n");
+ s->state = 0;
+ goto eoc;
+ }
+
s->index += l;
buf += l;
size -= l;

5
qemu.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Wed Jun 20 10:59:11 CEST 2007 - uli@suse.de
- added secfixes (bug #252519)
-------------------------------------------------------------------
Thu Jun 14 18:53:18 CEST 2007 - agraf@suse.de

6
qemu.spec
View File

@ -17,7 +17,7 @@ License: BSD License and BSD-like, GNU General Public License (GPL)
Group: System/Emulators/Other
Summary: Universal CPU emulator
Version: 0.9.0
Release: 36
Release: 37
Source: %name-%version.tar.bz2
#Patch400: qemu-0.7.0-gcc4-dot-syms.patch
#Patch401: qemu-0.8.0-gcc4-hacks.patch
@ -56,6 +56,7 @@ Patch42: qemu-0.9.0-mmap.x86_64.patch
Patch43: qemu-0.9.0-futex.patch
Patch44: qemu-0.9.0-robust_list.patch
Patch45: qemu-0.9.0-wine.patch
Patch46: bug-252519_goo-qemu-sec-0.9.0.diff
Source200: kvm_bios.bin
Source201: zx-rom.bin
Source202: COPYING.zx-rom
@ -152,6 +153,7 @@ Authors:
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
cp -p %SOURCE200 pc-bios/
cp -p %SOURCE202 .
cd gcc-3.3.5
@ -330,6 +332,8 @@ rm -rf %{gcc33tmp}
%endif
%changelog
* Wed Jun 20 2007 - uli@suse.de
- added secfixes (bug #252519)
* Thu Jun 14 2007 - agraf@suse.de
- made wine work (set FS register to 0 on init)
- suppressed robust_list warnings