From: Aleksandr Mogylchenko Date: Wed, 13 May 2015 17:26:48 +0000 (-0700) Subject: Update qemu package to mitigate CVE-2015-3456 X-Git-Url: https://review.fuel-infra.org/gitweb?p=packages%2Fcentos6%2Fqemu.git;a=commitdiff_plain;h=ad92abb8034ec1689ddfa6669add8ece58711fa7 Update qemu package to mitigate CVE-2015-3456 https://bugzilla.redhat.com/show_bug.cgi?id=1218611 Change-Id: Ibf32a70495c9d0d7b2b09da5e89035d06cda369c Closes-Bug: #1454795 --- diff --git a/0025-fdc-force-the-fifo-access-to-be-in-bounds-of-the-allocated-buffer.patch b/0025-fdc-force-the-fifo-access-to-be-in-bounds-of-the-allocated-buffer.patch new file mode 100644 index 0000000..ca78eac --- /dev/null +++ b/0025-fdc-force-the-fifo-access-to-be-in-bounds-of-the-allocated-buffer.patch @@ -0,0 +1,82 @@ +From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +2.1.0 + diff --git a/qemu.spec b/qemu.spec index ddbee04..8956116 100644 --- a/qemu.spec +++ b/qemu.spec @@ -154,7 +154,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.0.0 -Release: 4 +Release: 5 Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -220,6 +220,7 @@ Patch0021: 0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch Patch0022: 0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch Patch0023: 0023-virtio-net-out-of-bounds-buffer-write-on-load.patch Patch0024: 0024-virtio-validate-config_len-on-load.patch +Patch0025: 0025-fdc-force-the-fifo-access-to-be-in-bounds-of-the-allocated-buffer.patch BuildRequires: SDL-devel BuildRequires: zlib-devel @@ -768,7 +769,7 @@ CAC emulation development files. %patch0022 -p1 %patch0023 -p1 %patch0024 -p1 - +%patch0025 -p1 %build %if %{with kvmonly} @@ -1548,6 +1549,9 @@ fi %endif %changelog +* Wed May 13 2015 Aleksandr Mogylchenko - 2:2.0.0-5 +- VENOM, or CVE-2015-3456; + * Sun May 11 2014 Cole Robinson - 2:2.0.0-4 - Migration CVEs: CVE-2014-0182 etc.