Accepting request 307165 from home:a_faerber:branches:Virtualization
Fix CVE-2015-3456 (boo#929339) and limit qemu-linux-user %check to prepared architectures OBS-URL: https://build.opensuse.org/request/show/307165 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=259
This commit is contained in:
parent
c42732f882
commit
c15bc67567
88
0041-fdc-force-the-fifo-access-to-be-in-.patch
Normal file
88
0041-fdc-force-the-fifo-access-to-be-in-.patch
Normal file
@ -0,0 +1,88 @@
|
||||
From 8ee1862533a1af5b18387662b262560fc336a08b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Wed, 6 May 2015 09:48:59 +0200
|
||||
Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
|
||||
buffer
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
During processing of certain commands such as FD_CMD_READ_ID and
|
||||
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
|
||||
get out of bounds leading to memory corruption with values coming
|
||||
from the guest.
|
||||
|
||||
Fix this by making sure that the index is always bounded by the
|
||||
allocated memory.
|
||||
|
||||
This is CVE-2015-3456.
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
|
||||
[AF: BOO#929339]
|
||||
Signed-off-by: Andreas Färber <afaerber@suse.de>
|
||||
---
|
||||
hw/block/fdc.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
|
||||
index 2bf87c9..a9de4ab 100644
|
||||
--- a/hw/block/fdc.c
|
||||
+++ b/hw/block/fdc.c
|
||||
@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
uint32_t retval = 0;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
cur_drv = get_cur_drv(fdctrl);
|
||||
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
||||
@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
return 0;
|
||||
}
|
||||
pos = fdctrl->data_pos;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
if (fdctrl->msr & FD_MSR_NONDMA) {
|
||||
- pos %= FD_SECTOR_LEN;
|
||||
if (pos == 0) {
|
||||
if (fdctrl->data_pos != 0)
|
||||
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
||||
@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
|
||||
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
||||
{
|
||||
FDrive *cur_drv = get_cur_drv(fdctrl);
|
||||
+ uint32_t pos;
|
||||
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
||||
+ pos = fdctrl->data_pos - 1;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ if (fdctrl->fifo[pos] & 0x80) {
|
||||
/* Command parameters done */
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
||||
+ if (fdctrl->fifo[pos] & 0x40) {
|
||||
fdctrl->fifo[0] = fdctrl->fifo[1];
|
||||
fdctrl->fifo[2] = 0;
|
||||
fdctrl->fifo[3] = 0;
|
||||
@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
|
||||
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
/* Reset mode */
|
||||
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
||||
@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
}
|
||||
|
||||
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
||||
- fdctrl->fifo[fdctrl->data_pos++] = value;
|
||||
+ pos = fdctrl->data_pos++;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ fdctrl->fifo[pos] = value;
|
||||
if (fdctrl->data_pos == fdctrl->data_len) {
|
||||
/* We now have all parameters
|
||||
* and will be able to treat the command
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu May 14 17:21:21 UTC 2015 - afaerber@suse.de
|
||||
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3
|
||||
* Patches added:
|
||||
0041-fdc-force-the-fifo-access-to-be-in-.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 12 22:43:56 UTC 2015 - agraf@suse.com
|
||||
|
||||
|
@ -65,6 +65,7 @@ Patch0037: 0037-linux-user-Allocate-thunk-size-dyna.patch
|
||||
Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch
|
||||
Patch0039: 0039-s390x-Fix-stoc-direction.patch
|
||||
Patch0040: 0040-s390x-Add-interlocked-access-facili.patch
|
||||
Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch
|
||||
# Please do not add patches manually here, run update_git.sh.
|
||||
# this is to make lint happy
|
||||
Source300: qemu-rpmlintrc
|
||||
@ -164,6 +165,7 @@ This sub-package contains development files for the Smartcard library.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
|
||||
%build
|
||||
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu May 14 17:21:17 UTC 2015 - afaerber@suse.de
|
||||
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3
|
||||
* Patches added:
|
||||
0041-fdc-force-the-fifo-access-to-be-in-.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 12 22:43:53 UTC 2015 - agraf@suse.com
|
||||
|
||||
@ -6,6 +13,11 @@ Tue May 12 22:43:53 UTC 2015 - agraf@suse.com
|
||||
* Patches added:
|
||||
0040-s390x-Add-interlocked-access-facili.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 11 12:21:16 UTC 2015 - afaerber@suse.de
|
||||
|
||||
- Limit %check to architectures prepared for it
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun May 10 14:55:31 UTC 2015 - afaerber@suse.de
|
||||
|
||||
|
@ -65,6 +65,7 @@ Patch0037: 0037-linux-user-Allocate-thunk-size-dyna.patch
|
||||
Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch
|
||||
Patch0039: 0039-s390x-Fix-stoc-direction.patch
|
||||
Patch0040: 0040-s390x-Add-interlocked-access-facili.patch
|
||||
Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch
|
||||
# Please do not add patches manually here, run update_git.sh.
|
||||
# this is to make lint happy
|
||||
Source300: qemu-rpmlintrc
|
||||
@ -158,6 +159,7 @@ run cross-architecture builds.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
|
||||
%build
|
||||
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \
|
||||
@ -203,10 +205,12 @@ make %{?_smp_mflags} V=1
|
||||
%define qemu_arch s390x
|
||||
%endif
|
||||
|
||||
%ifarch %ix86 x86_64 %arm aarch64 ppc ppc64 ppc64le s390x
|
||||
%if 0%{?suse_version} >= 1310
|
||||
%check
|
||||
%{qemu_arch}-linux-user/qemu-%{qemu_arch} %_bindir/ls > /dev/null
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%install
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
|
@ -125,10 +125,12 @@ make %{?_smp_mflags} V=1
|
||||
%define qemu_arch s390x
|
||||
%endif
|
||||
|
||||
%ifarch %ix86 x86_64 %arm aarch64 ppc ppc64 ppc64le s390x
|
||||
%if 0%{?suse_version} >= 1310
|
||||
%check
|
||||
%{qemu_arch}-linux-user/qemu-%{qemu_arch} %_bindir/ls > /dev/null
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%install
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu May 14 17:21:13 UTC 2015 - afaerber@suse.de
|
||||
|
||||
- Fix CVE-2015-3456 (boo#929339)
|
||||
0041-fdc-force-the-fifo-access-to-be-in-.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 12 22:43:49 UTC 2015 - agraf@suse.com
|
||||
|
||||
|
@ -96,6 +96,7 @@ Patch0037: 0037-linux-user-Allocate-thunk-size-dyna.patch
|
||||
Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch
|
||||
Patch0039: 0039-s390x-Fix-stoc-direction.patch
|
||||
Patch0040: 0040-s390x-Add-interlocked-access-facili.patch
|
||||
Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
@ -596,6 +597,7 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
|
||||
%if %{build_x86_fw_from_source}
|
||||
pushd roms/seabios
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu May 14 17:21:13 UTC 2015 - afaerber@suse.de
|
||||
|
||||
- Fix CVE-2015-3456 (boo#929339)
|
||||
0041-fdc-force-the-fifo-access-to-be-in-.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 12 22:43:49 UTC 2015 - agraf@suse.com
|
||||
|
||||
|
@ -96,6 +96,7 @@ Patch0037: 0037-linux-user-Allocate-thunk-size-dyna.patch
|
||||
Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch
|
||||
Patch0039: 0039-s390x-Fix-stoc-direction.patch
|
||||
Patch0040: 0040-s390x-Add-interlocked-access-facili.patch
|
||||
Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
@ -596,6 +597,7 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
|
||||
%if %{build_x86_fw_from_source}
|
||||
pushd roms/seabios
|
||||
|
Loading…
Reference in New Issue
Block a user