From e44baca4d255eaa1b98c2bd14e6f0b6df3643b61 Mon Sep 17 00:00:00 2001 From: Thomas Penteker Date: Mon, 8 Jun 2015 20:32:10 +0200 Subject: [PATCH] qemu-all: fix CVE-2015-3456 --- qemu-all/.md5sum | 1 + qemu-all/CVE-3456.diff | 81 ++++++++++++++++++++++++++++++++++++++++++ qemu-all/Pkgfile | 7 ++-- 3 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 qemu-all/CVE-3456.diff diff --git a/qemu-all/.md5sum b/qemu-all/.md5sum index acbd37d55..b711d543d 100644 --- a/qemu-all/.md5sum +++ b/qemu-all/.md5sum @@ -1 +1,2 @@ +d2ec15ed5ad82e6bf0eb90bb9c27b656 CVE-3456.diff 2fab3ea4460de9b57192e5b8b311f221 qemu-2.3.0.tar.bz2 diff --git a/qemu-all/CVE-3456.diff b/qemu-all/CVE-3456.diff new file mode 100644 index 000000000..2844caa4d --- /dev/null +++ b/qemu-all/CVE-3456.diff @@ -0,0 +1,81 @@ +From: Petr Matousek +Date: Wed, 6 May 2015 07:48:59 +0000 (+0200) +Subject: fdc: force the fifo access to be in bounds of the allocated buffer +X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c + +fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek +Reviewed-by: John Snow +Signed-off-by: John Snow +--- + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command diff --git a/qemu-all/Pkgfile b/qemu-all/Pkgfile index f63aa83ff..48ab6e500 100644 --- a/qemu-all/Pkgfile +++ b/qemu-all/Pkgfile @@ -7,12 +7,15 @@ name=qemu-all version=2.3.0 -release=1 -source=(http://wiki.qemu.org/download/qemu-$version.tar.bz2) +release=2 +source=(http://wiki.qemu.org/download/qemu-$version.tar.bz2 + CVE-3456.diff) build() { cd qemu-$version + + patch -p1 -i $SRC/CVE-3456.diff ./configure --prefix=/usr \ --cc="${CC:=gcc}" \