Hi Maxime,
On Friday 15 May 2015 11:23:15 Maxime Dor wrote:
> Could an experienced dev validate that this diff between VBox 4.3.26 &
> 4.3.28 is indeed a fix CVE-2015-3456 ? http://pastebin.com/hb5Fbwku
sorry for the slow response. Here is the link to the official Oracle report:
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html
As stated there, the bug is fixed in VBox 4.3.28 so yes, the diff between the
source code of VBox 4.3.26 and 4.3.28 in src/VBox/Devices/Storage/DevFdc.cpp
contains the fix. For convenience I've attached the diff.
Kind regards,
Frank
--
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany
ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
Index: src/VBox/Devices/Storage/DevFdc.cpp
===================================================================
--- src/VBox/Devices/Storage/DevFdc.cpp (revision 89689)
+++ src/VBox/Devices/Storage/DevFdc.cpp (revision 100353)
@@ -1737,7 +1737,7 @@
FLOPPY_ERROR("controller not ready for reading\n");
return 0;
}
- pos = fdctrl->data_pos;
+ pos = fdctrl->data_pos % FD_SECTOR_LEN;
if (fdctrl->msr & FD_MSR_NONDMA) {
pos %= FD_SECTOR_LEN;
if (pos == 0) {
@@ -1961,7 +1961,7 @@
FLOPPY_DPRINTF("CMD:%02x SEL:%02x\n", fdctrl->fifo[0], fdctrl->fifo[1]);
- /* XXX: should set main status register to busy */
+ fdctrl->msr &= ~FD_MSR_RQM;
cur_drv->head = (fdctrl->fifo[1] >> 2) & 1;
#ifdef VBOX
TMTimerSetMillies(fdctrl->result_timer, 1000 / 50);
@@ -2139,10 +2139,17 @@
{
fdrive_t *cur_drv = get_cur_drv(fdctrl);
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+ /* This command takes a variable number of parameters. It can be terminated
+ * at any time if the high bit of a parameter is set. Once there are 6 bytes
+ * in the FIFO (command + 5 parameter bytes), data_len/data_pos will be 7.
+ */
+ if (fdctrl->data_len == 7 || (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80)) {
+
/* Command parameters done */
if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
- fdctrl->fifo[0] = fdctrl->fifo[1];
+ /* Data is echoed, but not stored! */
+ fdctrl->fifo[0] = fdctrl->data_len > 2 ? fdctrl->fifo[1] : 0;
+ fdctrl->fifo[1] = fdctrl->data_len > 3 ? fdctrl->fifo[2] : 0;
fdctrl->fifo[2] = 0;
fdctrl->fifo[3] = 0;
fdctrl_set_fifo(fdctrl, 4, 0);
@@ -2149,12 +2156,8 @@
} else {
fdctrl_reset_fifo(fdctrl);
}
- } else if (fdctrl->data_len > 7) {
- /* ERROR */
- fdctrl->fifo[0] = 0x80 |
- (cur_drv->head << 2) | GET_CUR_DRV(fdctrl);
- fdctrl_set_fifo(fdctrl, 1, 0);
- }
+ } else
+ fdctrl->data_len++; /* Wait for another byte. */
}
static void fdctrl_handle_relative_seek_out(fdctrl_t *fdctrl, int direction)
@@ -2219,7 +2222,7 @@
{ FD_CMD_CONFIGURE, 0xff, "CONFIGURE", 3, fdctrl_handle_configure },
{ FD_CMD_POWERDOWN_MODE, 0xff, "POWERDOWN MODE", 2, fdctrl_handle_powerdown_mode },
{ FD_CMD_OPTION, 0xff, "OPTION", 1, fdctrl_handle_option },
- { FD_CMD_DRIVE_SPECIFICATION_COMMAND, 0xff, "DRIVE SPECIFICATION COMMAND", 5, fdctrl_handle_drive_specification_command },
+ { FD_CMD_DRIVE_SPECIFICATION_COMMAND, 0xff, "DRIVE SPECIFICATION COMMAND", 1, fdctrl_handle_drive_specification_command },
{ FD_CMD_RELATIVE_SEEK_OUT, 0xff, "RELATIVE SEEK OUT", 2, fdctrl_handle_relative_seek_out },
{ FD_CMD_FORMAT_AND_WRITE, 0xff, "FORMAT AND WRITE", 10, fdctrl_unimplemented },
{ FD_CMD_RELATIVE_SEEK_IN, 0xff, "RELATIVE SEEK IN", 2, fdctrl_handle_relative_seek_in },
@@ -2281,7 +2284,7 @@
}
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
- fdctrl->fifo[fdctrl->data_pos++] = value;
+ fdctrl->fifo[fdctrl->data_pos++ % FD_SECTOR_LEN] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
* and will be able to treat the command
_______________________________________________
vbox-dev mailing list
[email protected]
https://www.virtualbox.org/mailman/listinfo/vbox-dev
