Date: Thursday, May 14, 2015 @ 10:50:13
Author: bluewind
Revision: 239341
fix VENOM
Added:
qemu/repos/extra-i686/CVE-2015-3456.patch
qemu/repos/extra-x86_64/CVE-2015-3456.patch
Modified:
qemu/repos/extra-i686/PKGBUILD
qemu/repos/extra-x86_64/PKGBUILD
----------------------------------+
extra-i686/CVE-2015-3456.patch | 84 +++++++++++++++++++++++++++++++++++++
extra-i686/PKGBUILD | 8 +++
extra-x86_64/CVE-2015-3456.patch | 84 +++++++++++++++++++++++++++++++++++++
extra-x86_64/PKGBUILD | 8 +++
4 files changed, 182 insertions(+), 2 deletions(-)
Added: extra-i686/CVE-2015-3456.patch
===================================================================
--- extra-i686/CVE-2015-3456.patch (rev 0)
+++ extra-i686/CVE-2015-3456.patch 2015-05-14 08:50:13 UTC (rev 239341)
@@ -0,0 +1,84 @@
+From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmato...@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmato...@redhat.com>
+Reviewed-by: John Snow <js...@redhat.com>
+Signed-off-by: John Snow <js...@redhat.com>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int
direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int
direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t
value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--
+1.7.0.4
+
Modified: extra-i686/PKGBUILD
===================================================================
--- extra-i686/PKGBUILD 2015-05-14 08:43:58 UTC (rev 239340)
+++ extra-i686/PKGBUILD 2015-05-14 08:50:13 UTC (rev 239341)
@@ -2,7 +2,7 @@
# Maintainer: Tobias Powalowski <tp...@archlinux.org>
pkgname=('qemu' 'libcacard')
pkgver=2.2.1
-pkgrel=4
+pkgrel=5
arch=('i686' 'x86_64')
license=('GPL2' 'LGPL2.1')
url="http://wiki.qemu.org/Index.html";
@@ -13,7 +13,12 @@
'usbredir')
options=(!strip)
source=(http://wiki.qemu.org/download/${pkgname}-${pkgver}.tar.bz2
+ CVE-2015-3456.patch
65-kvm.rules)
+prepare() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p1 -i ${srcdir}/CVE-2015-3456.patch
+}
build ()
{
@@ -90,4 +95,5 @@
cp -a ${srcdir}/qemu-${pkgver}/.libs/vscclient ${pkgdir}/usr/bin/
}
md5sums=('833ff4457062456d38d6567f802ffef4'
+ '5e8a68940c4e0267e795a6ddd144e00e'
'33ab286a20242dda7743a900f369d68a')
Added: extra-x86_64/CVE-2015-3456.patch
===================================================================
--- extra-x86_64/CVE-2015-3456.patch (rev 0)
+++ extra-x86_64/CVE-2015-3456.patch 2015-05-14 08:50:13 UTC (rev 239341)
@@ -0,0 +1,84 @@
+From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmato...@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmato...@redhat.com>
+Reviewed-by: John Snow <js...@redhat.com>
+Signed-off-by: John Snow <js...@redhat.com>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int
direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int
direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t
value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--
+1.7.0.4
+
Modified: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD 2015-05-14 08:43:58 UTC (rev 239340)
+++ extra-x86_64/PKGBUILD 2015-05-14 08:50:13 UTC (rev 239341)
@@ -2,7 +2,7 @@
# Maintainer: Tobias Powalowski <tp...@archlinux.org>
pkgname=('qemu' 'libcacard')
pkgver=2.2.1
-pkgrel=4
+pkgrel=5
arch=('i686' 'x86_64')
license=('GPL2' 'LGPL2.1')
url="http://wiki.qemu.org/Index.html";
@@ -13,7 +13,12 @@
'usbredir')
options=(!strip)
source=(http://wiki.qemu.org/download/${pkgname}-${pkgver}.tar.bz2
+ CVE-2015-3456.patch
65-kvm.rules)
+prepare() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p1 -i ${srcdir}/CVE-2015-3456.patch
+}
build ()
{
@@ -90,4 +95,5 @@
cp -a ${srcdir}/qemu-${pkgver}/.libs/vscclient ${pkgdir}/usr/bin/
}
md5sums=('833ff4457062456d38d6567f802ffef4'
+ '5e8a68940c4e0267e795a6ddd144e00e'
'33ab286a20242dda7743a900f369d68a')
