ports/opt
4
3
Fork 1
Code Issues 1 Pull Requests Activity

qemu: 2.3.0 -> 2.5.0

Browse Source
This commit is contained in:
Thomas Penteker 2015-12-27 23:06:41 +01:00
parent b5f48abfe9
commit b788ec7a57
4 changed files with 14 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
qemu/.footprint
View File

@ -1,11 +1,11 @@
drwxr-xr-x root/root etc/
drwxr-xr-x root/root etc/qemu/
-rw-r--r-- root/root etc/qemu/target-x86_64.conf (EMPTY)
drwxr-xr-x root/root etc/udev/
drwxr-xr-x root/root etc/udev/rules.d/
-rw-r--r-- root/root etc/udev/rules.d/60-kvm.rules
drwxr-xr-x root/root usr/
drwxr-xr-x root/root usr/bin/
-rwxr-xr-x root/root usr/bin/ivshmem-client
-rwxr-xr-x root/root usr/bin/ivshmem-server
-rwxr-xr-x root/root usr/bin/qemu-ga
-rwxr-xr-x root/root usr/bin/qemu-i386
-rwxr-xr-x root/root usr/bin/qemu-img
@ -18,13 +18,12 @@ drwxr-xr-x root/root usr/bin/
drwxr-xr-x root/root usr/lib/
drwxr-xr-x root/root usr/lib/qemu/
-rwxr-xr-x root/root usr/lib/qemu/qemu-bridge-helper
drwxr-xr-x root/root usr/man/
drwxr-xr-x root/root usr/man/man1/
-rw-r--r-- root/root usr/man/man1/qemu-img.1.gz
-rw-r--r-- root/root usr/man/man1/qemu.1.gz
drwxr-xr-x root/root usr/man/man8/
-rw-r--r-- root/root usr/man/man8/qemu-nbd.8.gz
drwxr-xr-x root/root usr/share/
drwxr-xr-x root/root usr/share/man1/
-rw-r--r-- root/root usr/share/man1/qemu-img.1
-rw-r--r-- root/root usr/share/man1/qemu.1
drwxr-xr-x root/root usr/share/man8/
-rw-r--r-- root/root usr/share/man8/qemu-nbd.8
drwxr-xr-x root/root usr/share/qemu/
-rw-r--r-- root/root usr/share/qemu/QEMU,cgthree.bin
-rw-r--r-- root/root usr/share/qemu/QEMU,tcx.bin
@ -105,6 +104,7 @@ drwxr-xr-x root/root usr/share/qemu/keymaps/
-rw-r--r-- root/root usr/share/qemu/vgabios-cirrus.bin
-rw-r--r-- root/root usr/share/qemu/vgabios-qxl.bin
-rw-r--r-- root/root usr/share/qemu/vgabios-stdvga.bin
-rw-r--r-- root/root usr/share/qemu/vgabios-virtio.bin
-rw-r--r-- root/root usr/share/qemu/vgabios-vmware.bin
-rw-r--r-- root/root usr/share/qemu/vgabios.bin
drwxr-xr-x root/root var/

3
qemu/.md5sum
View File

@ -1,2 +1 @@
d2ec15ed5ad82e6bf0eb90bb9c27b656 CVE-3456.diff
2fab3ea4460de9b57192e5b8b311f221 qemu-2.3.0.tar.bz2
f469f2330bbe76e3e39db10e9ac4f8db qemu-2.5.0.tar.bz2

81
qemu/CVE-3456.diff
View File

@ -1,81 +0,0 @@
From: Petr Matousek <pmatouse@redhat.com>
Date: Wed, 6 May 2015 07:48:59 +0000 (+0200)
Subject: fdc: force the fifo access to be in bounds of the allocated buffer
X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c
fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
---
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index f72a392..d8a8edd 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
{
FDrive *cur_drv;
uint32_t retval = 0;
- int pos;
+ uint32_t pos;
cur_drv = get_cur_drv(fdctrl);
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
return 0;
}
pos = fdctrl->data_pos;
+ pos %= FD_SECTOR_LEN;
if (fdctrl->msr & FD_MSR_NONDMA) {
- pos %= FD_SECTOR_LEN;
if (pos == 0) {
if (fdctrl->data_pos != 0)
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
{
FDrive *cur_drv = get_cur_drv(fdctrl);
+ uint32_t pos;
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+ pos = fdctrl->data_pos - 1;
+ pos %= FD_SECTOR_LEN;
+ if (fdctrl->fifo[pos] & 0x80) {
/* Command parameters done */
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+ if (fdctrl->fifo[pos] & 0x40) {
fdctrl->fifo[0] = fdctrl->fifo[1];
fdctrl->fifo[2] = 0;
fdctrl->fifo[3] = 0;
@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
{
FDrive *cur_drv;
- int pos;
+ uint32_t pos;
/* Reset mode */
if (!(fdctrl->dor & FD_DOR_nRESET)) {
@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
}
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
- fdctrl->fifo[fdctrl->data_pos++] = value;
+ pos = fdctrl->data_pos++;
+ pos %= FD_SECTOR_LEN;
+ fdctrl->fifo[pos] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
* and will be able to treat the command

15
qemu/Pkgfile
View File

@ -6,17 +6,14 @@
# Nice to have: libseccomp libiscsi libusb usbredir spice
name=qemu
version=2.3.0
version=2.5.0
release=1
source=(http://wiki.qemu.org/download/qemu-$version.tar.bz2
CVE-3456.diff)
source=(http://wiki.qemu.org/download/qemu-$version.tar.bz2)
build() {
cd $name-$version
patch -p1 -i $SRC/CVE-3456.diff
./configure --prefix=/usr \
--cc="${CC:=gcc}" \
--host-cc="${CC:=gcc}" \
@ -32,15 +29,13 @@ build() {
-e 's|#include <sys/resource.h>|#include <sys/resource.h>\r\n#include "qemu\/xattr.h"|g' \
fsdev/virtfs-proxy-helper.c
# fix include issues with nspr
echo 'QEMU_CFLAGS+=-I/usr/include/nspr' >> libcacard/Makefile
make ${MAKEFLAGS:=}
make DESTDIR=$PKG install
make qemu.1 qemu-img.1 qemu-nbd.8
install -D -m 644 qemu.1 $PKG/usr/man/man1/qemu.1
install -D -m 644 qemu-img.1 $PKG/usr/man/man1/qemu-img.1
install -D -m 644 qemu-nbd.8 $PKG/usr/man/man8/qemu-nbd.8
install -D -m 644 qemu.1 $PKG/usr/share/man1/qemu.1
install -D -m 644 qemu-img.1 $PKG/usr/share/man1/qemu-img.1
install -D -m 644 qemu-nbd.8 $PKG/usr/share/man8/qemu-nbd.8
install -d $PKG/etc/udev/rules.d/
echo 'KERNEL=="kvm", NAME="kvm", OWNER="root", GROUP="kvm", MODE="0660"' > \