SHA256
1
0
forked from pool/qemu

Accepting request 307165 from home:a_faerber:branches:Virtualization

Fix CVE-2015-3456 (boo#929339) and limit qemu-linux-user %check to prepared architectures

OBS-URL: https://build.opensuse.org/request/show/307165
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=259
This commit is contained in:
Andreas Färber 2015-05-14 17:45:59 +00:00 committed by Git OBS Bridge
parent c42732f882
commit c15bc67567
10 changed files with 133 additions and 0 deletions

View File

@ -0,0 +1,88 @@
From 8ee1862533a1af5b18387662b262560fc336a08b Mon Sep 17 00:00:00 2001
From: Petr Matousek <pmatouse@redhat.com>
Date: Wed, 6 May 2015 09:48:59 +0200
Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
[AF: BOO#929339]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/block/fdc.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index 2bf87c9..a9de4ab 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
{
FDrive *cur_drv;
uint32_t retval = 0;
- int pos;
+ uint32_t pos;
cur_drv = get_cur_drv(fdctrl);
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
return 0;
}
pos = fdctrl->data_pos;
+ pos %= FD_SECTOR_LEN;
if (fdctrl->msr & FD_MSR_NONDMA) {
- pos %= FD_SECTOR_LEN;
if (pos == 0) {
if (fdctrl->data_pos != 0)
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
{
FDrive *cur_drv = get_cur_drv(fdctrl);
+ uint32_t pos;
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+ pos = fdctrl->data_pos - 1;
+ pos %= FD_SECTOR_LEN;
+ if (fdctrl->fifo[pos] & 0x80) {
/* Command parameters done */
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+ if (fdctrl->fifo[pos] & 0x40) {
fdctrl->fifo[0] = fdctrl->fifo[1];
fdctrl->fifo[2] = 0;
fdctrl->fifo[3] = 0;
@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
{
FDrive *cur_drv;
- int pos;
+ uint32_t pos;
/* Reset mode */
if (!(fdctrl->dor & FD_DOR_nRESET)) {
@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
}
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
- fdctrl->fifo[fdctrl->data_pos++] = value;
+ pos = fdctrl->data_pos++;
+ pos %= FD_SECTOR_LEN;
+ fdctrl->fifo[pos] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
* and will be able to treat the command

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu May 14 17:21:21 UTC 2015 - afaerber@suse.de
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3
* Patches added:
0041-fdc-force-the-fifo-access-to-be-in-.patch
-------------------------------------------------------------------
Tue May 12 22:43:56 UTC 2015 - agraf@suse.com

View File

@ -65,6 +65,7 @@ Patch0037: 0037-linux-user-Allocate-thunk-size-dyna.patch
Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch
Patch0039: 0039-s390x-Fix-stoc-direction.patch
Patch0040: 0040-s390x-Add-interlocked-access-facili.patch
Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch
# Please do not add patches manually here, run update_git.sh.
# this is to make lint happy
Source300: qemu-rpmlintrc
@ -164,6 +165,7 @@ This sub-package contains development files for the Smartcard library.
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%build
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu May 14 17:21:17 UTC 2015 - afaerber@suse.de
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3
* Patches added:
0041-fdc-force-the-fifo-access-to-be-in-.patch
-------------------------------------------------------------------
Tue May 12 22:43:53 UTC 2015 - agraf@suse.com
@ -6,6 +13,11 @@ Tue May 12 22:43:53 UTC 2015 - agraf@suse.com
* Patches added:
0040-s390x-Add-interlocked-access-facili.patch
-------------------------------------------------------------------
Mon May 11 12:21:16 UTC 2015 - afaerber@suse.de
- Limit %check to architectures prepared for it
-------------------------------------------------------------------
Sun May 10 14:55:31 UTC 2015 - afaerber@suse.de

View File

@ -65,6 +65,7 @@ Patch0037: 0037-linux-user-Allocate-thunk-size-dyna.patch
Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch
Patch0039: 0039-s390x-Fix-stoc-direction.patch
Patch0040: 0040-s390x-Add-interlocked-access-facili.patch
Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch
# Please do not add patches manually here, run update_git.sh.
# this is to make lint happy
Source300: qemu-rpmlintrc
@ -158,6 +159,7 @@ run cross-architecture builds.
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%build
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \
@ -203,10 +205,12 @@ make %{?_smp_mflags} V=1
%define qemu_arch s390x
%endif
%ifarch %ix86 x86_64 %arm aarch64 ppc ppc64 ppc64le s390x
%if 0%{?suse_version} >= 1310
%check
%{qemu_arch}-linux-user/qemu-%{qemu_arch} %_bindir/ls > /dev/null
%endif
%endif
%install
make install DESTDIR=$RPM_BUILD_ROOT

View File

@ -125,10 +125,12 @@ make %{?_smp_mflags} V=1
%define qemu_arch s390x
%endif
%ifarch %ix86 x86_64 %arm aarch64 ppc ppc64 ppc64le s390x
%if 0%{?suse_version} >= 1310
%check
%{qemu_arch}-linux-user/qemu-%{qemu_arch} %_bindir/ls > /dev/null
%endif
%endif
%install
make install DESTDIR=$RPM_BUILD_ROOT

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu May 14 17:21:13 UTC 2015 - afaerber@suse.de
- Fix CVE-2015-3456 (boo#929339)
0041-fdc-force-the-fifo-access-to-be-in-.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3
-------------------------------------------------------------------
Tue May 12 22:43:49 UTC 2015 - agraf@suse.com

View File

@ -96,6 +96,7 @@ Patch0037: 0037-linux-user-Allocate-thunk-size-dyna.patch
Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch
Patch0039: 0039-s390x-Fix-stoc-direction.patch
Patch0040: 0040-s390x-Add-interlocked-access-facili.patch
Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -596,6 +597,7 @@ This package provides a service file for starting and stopping KSM.
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu May 14 17:21:13 UTC 2015 - afaerber@suse.de
- Fix CVE-2015-3456 (boo#929339)
0041-fdc-force-the-fifo-access-to-be-in-.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3
-------------------------------------------------------------------
Tue May 12 22:43:49 UTC 2015 - agraf@suse.com

View File

@ -96,6 +96,7 @@ Patch0037: 0037-linux-user-Allocate-thunk-size-dyna.patch
Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch
Patch0039: 0039-s390x-Fix-stoc-direction.patch
Patch0040: 0040-s390x-Add-interlocked-access-facili.patch
Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -596,6 +597,7 @@ This package provides a service file for starting and stopping KSM.
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios