diff --git a/0034-console-bounds-check-whenever-chang.patch b/0034-console-bounds-check-whenever-chang.patch new file mode 100644 index 00000000..9452aa93 --- /dev/null +++ b/0034-console-bounds-check-whenever-chang.patch @@ -0,0 +1,126 @@ +From 0a57a3cd95bf6b0a3d4764129981f0938dbfaed3 Mon Sep 17 00:00:00 2001 +From: Ian Campbell +Date: Wed, 5 Sep 2012 12:19:51 +0200 +Subject: [PATCH] console: bounds check whenever changing the cursor due to an + escape code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is XSA-17 / CVE-2012-3515 + +Signed-off-by: Ian Campbell +[AF: fixed Coding Style; bnc#777084] +Signed-off-by: Andreas Färber +--- + console.c | 58 +++++++++++++++++++++++++++++----------------------------- + 1 files changed, 29 insertions(+), 29 deletions(-) + +diff --git a/console.c b/console.c +index f5e8814..7fa6516 100644 +--- a/console.c ++++ b/console.c +@@ -850,6 +850,26 @@ static void console_clear_xy(TextConsole *s, int x, int y) + update_xy(s, x, y); + } + ++/* set cursor, checking bounds */ ++static void set_cursor(TextConsole *s, int x, int y) ++{ ++ if (x < 0) { ++ x = 0; ++ } ++ if (y < 0) { ++ y = 0; ++ } ++ if (y >= s->height) { ++ y = s->height - 1; ++ } ++ if (x >= s->width) { ++ x = s->width - 1; ++ } ++ ++ s->x = x; ++ s->y = y; ++} ++ + static void console_putchar(TextConsole *s, int ch) + { + TextCell *c; +@@ -921,7 +941,9 @@ static void console_putchar(TextConsole *s, int ch) + s->esc_params[s->nb_esc_params] * 10 + ch - '0'; + } + } else { +- s->nb_esc_params++; ++ if (s->nb_esc_params < MAX_ESC_PARAMS) { ++ s->nb_esc_params++; ++ } + if (ch == ';') + break; + #ifdef DEBUG_CONSOLE +@@ -935,59 +957,37 @@ static void console_putchar(TextConsole *s, int ch) + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->y -= s->esc_params[0]; +- if (s->y < 0) { +- s->y = 0; +- } ++ set_cursor(s, s->x, s->y - s->esc_params[0]); + break; + case 'B': + /* move cursor down */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->y += s->esc_params[0]; +- if (s->y >= s->height) { +- s->y = s->height - 1; +- } ++ set_cursor(s, s->x, s->y + s->esc_params[0]); + break; + case 'C': + /* move cursor right */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->x += s->esc_params[0]; +- if (s->x >= s->width) { +- s->x = s->width - 1; +- } ++ set_cursor(s, s->x + s->esc_params[0], s->y); + break; + case 'D': + /* move cursor left */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->x -= s->esc_params[0]; +- if (s->x < 0) { +- s->x = 0; +- } ++ set_cursor(s, s->x - s->esc_params[0], s->y); + break; + case 'G': + /* move cursor to column */ +- s->x = s->esc_params[0] - 1; +- if (s->x < 0) { +- s->x = 0; +- } ++ set_cursor(s, s->esc_params[0] - 1, s->y); + break; + case 'f': + case 'H': + /* move cursor to row, column */ +- s->x = s->esc_params[1] - 1; +- if (s->x < 0) { +- s->x = 0; +- } +- s->y = s->esc_params[0] - 1; +- if (s->y < 0) { +- s->y = 0; +- } ++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1); + break; + case 'J': + switch (s->esc_params[0]) { diff --git a/qemu.changes b/qemu.changes index d2679fb8..86311364 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 5 10:26:38 UTC 2012 - afaerber@suse.de + +- add bounds checks in console VT100 emulation (bnc#777084, + CVE-2012-3515) + ------------------------------------------------------------------- Wed Sep 5 09:57:44 UTC 2012 - afaerber@suse.de diff --git a/qemu.spec b/qemu.spec index 748b8264..61aab5be 100644 --- a/qemu.spec +++ b/qemu.spec @@ -57,6 +57,7 @@ Patch0030: 0030-linux-user-fix-statfs.patch.patch Patch0031: 0031-linux-user-XXX-disable-fiemap.patch.patch Patch0032: 0032-slirp-nooutgoing.patch.patch Patch0033: 0033-vnc-password-file-and-incoming-conn.patch +Patch0034: 0034-console-bounds-check-whenever-chang.patch # this is to make lint happy Source300: rpmlintrc Source302: bridge.conf @@ -201,6 +202,7 @@ run cross-architecture builds. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 %build # build QEMU