QEMU update with VENOM (CVE-2015-3456) patch

Change-Id: I7c4b9080e978130956441f603be72a5ee40d3290
Partial-Bug: #1454795

diff --git a/0243-fdc-force-the-fifo-access-to-be-in-bounds-of-the-allocated-buffer.patch b/0243-fdc-force-the-fifo-access-to-be-in-bounds-of-the-allocated-buffer.patch
new file mode 100644 (file)
index 0000000..a71bc58
--- /dev/null
+++ b/0243-fdc-force-the-fifo-access-to-be-in-bounds-of-the-allocated-buffer.patch
@@ -0,0 +1,82 @@
+From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+---
+ hw/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/fdc.c b/hw/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/fdc.c
++++ b/hw/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+-- 
+2.1.0
+

diff --git a/qemu.spec b/qemu.spec
index af54851f05ae19e36678a21a67e5793ed0a55b57..44c4871c61e3dac71a1dc825a424a1519ec4690f 100644 (file)
--- a/qemu.spec
+++ b/qemu.spec
@@ -107,7 +107,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 1.2.0
-Release: 24%{?dist}
+Release: 25%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -391,6 +391,7 @@ Patch0239: 0239-i386-kvm-bit-10-of-CPUID-8000_0001-.EDX-is-reserved.patch
 Patch0240: 0240-fpu-softfloat.c-Return-correctly-signed-values-from-.patch
 Patch0241: 0241-pseries-Don-t-test-for-MSR_PR-for-hypercalls-under-K.patch
 Patch0242: 0242-update-VERSION-for-v1.2.1.patch
+Patch0243: 0243-fdc-force-the-fifo-access-to-be-in-bounds-of-the-allocated-buffer.patch
 
 # The infamous chardev flow control patches
 Patch0400: 0400-char-Split-out-tcp-socket-close-code-in-a-separate-f.patch
@@ -1133,6 +1134,7 @@ such as kvm_stat.
 %patch0240 -p1
 %patch0241 -p1
 %patch0242 -p1
+%patch0243 -p1
 
 %patch0400 -p1
 %patch0401 -p1
@@ -1483,6 +1485,7 @@ if [ $1 -eq 1 ] ; then
     # Initial installation
     /bin/systemctl enable ksm.service >/dev/null 2>&1 || :
     /bin/systemctl enable ksmtuned.service >/dev/null 2>&1 || :
+    /bin/ln -s /usr/bin/qemu-kvm /usr/libexec/qemu-kvm
 fi
 
 getent group kvm >/dev/null || groupadd -g 36 -r kvm
@@ -1507,7 +1510,10 @@ if [ $1 -ge 1 ] ; then
     /bin/systemctl try-restart ksmtuned.service >/dev/null 2>&1 || :
     /bin/systemctl try-restart ksm.service >/dev/null 2>&1 || :
 fi
-
+if [ $1 -eq 0 ] ; then
+    # Package removal, not upgrade
+    /bin/rm -f /usr/libexec/qemu-kvm
+fi
 
 %global kvm_files \
 %{_sysconfdir}/sysconfig/modules/kvm.modules \
@@ -1789,6 +1795,9 @@ fi
 %{_mandir}/man1/qemu-img.1*
 
 %changelog
+* Wed May 20 2015 Michael Semenov <msemenov@mirantis.com> - 2:1.2.0-25
+- VENOM, or CVE-2015-3456;
+
 * Thu Aug 22 2013 Mirantis Product <product@mirantis.com> - 2:1.2.0-24
 - remove systemd stuff not needed for Centos
 - lower usbredir req to >= 0.5.1