summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTudor Florea <tudor.florea@enea.com>2015-07-07 00:29:37 +0200
committerTudor Florea <tudor.florea@enea.com>2015-07-07 00:29:37 +0200
commitc190b396d5d2b0ce2caabf7366f3b08546187f11 (patch)
tree5a0748d0fe6581dd4c8eaf9dbdefe498bf9a0e64
parente8be346c3a210a1b4da8b6943c5fe2e5556d29b9 (diff)
downloadpoky-c190b396d5d2b0ce2caabf7366f3b08546187f11.tar.gz
qemu: fixed multiple CVEs
CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access CVE-2014-5263, missing field list terminator in vmstate_xhci_event CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle functions CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch87
-rw-r--r--meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch41
-rw-r--r--meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch51
-rw-r--r--meta/recipes-devtools/qemu/qemu_1.7.2.bb6
5 files changed, 237 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch
new file mode 100644
index 0000000000..751949dcb4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch
@@ -0,0 +1,87 @@
1From 46aa72e4466d3a58dcea2c8b3cce48c053cd108f Mon Sep 17 00:00:00 2001
2From: Petr Matousek <pmatouse@redhat.com>
3Date: Wed, 6 May 2015 09:48:59 +0200
4Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
5 buffer
6
7During processing of certain commands such as FD_CMD_READ_ID and
8FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
9get out of bounds leading to memory corruption with values coming
10from the guest.
11
12Fix this by making sure that the index is always bounded by the
13allocated memory.
14
15This is CVE-2015-3456.
16Upstream-Status: Backport
17
18Signed-off-by: Petr Matousek <pmatouse@redhat.com>
19Reviewed-by: John Snow <jsnow@redhat.com>
20Signed-off-by: John Snow <jsnow@redhat.com>
21Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
22---
23 hw/block/fdc.c | 17 +++++++++++------
24 1 file changed, 11 insertions(+), 6 deletions(-)
25
26diff --git a/hw/block/fdc.c b/hw/block/fdc.c
27index c5a6c21..2552fb1 100644
28--- a/hw/block/fdc.c
29+++ b/hw/block/fdc.c
30@@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
31 {
32 FDrive *cur_drv;
33 uint32_t retval = 0;
34- int pos;
35+ uint32_t pos;
36
37 cur_drv = get_cur_drv(fdctrl);
38 fdctrl->dsr &= ~FD_DSR_PWRDOWN;
39@@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
40 return 0;
41 }
42 pos = fdctrl->data_pos;
43+ pos %= FD_SECTOR_LEN;
44 if (fdctrl->msr & FD_MSR_NONDMA) {
45- pos %= FD_SECTOR_LEN;
46 if (pos == 0) {
47 if (fdctrl->data_pos != 0)
48 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
49@@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
50 static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
51 {
52 FDrive *cur_drv = get_cur_drv(fdctrl);
53+ uint32_t pos;
54
55- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
56+ pos = fdctrl->data_pos - 1;
57+ pos %= FD_SECTOR_LEN;
58+ if (fdctrl->fifo[pos] & 0x80) {
59 /* Command parameters done */
60- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
61+ if (fdctrl->fifo[pos] & 0x40) {
62 fdctrl->fifo[0] = fdctrl->fifo[1];
63 fdctrl->fifo[2] = 0;
64 fdctrl->fifo[3] = 0;
65@@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256];
66 static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
67 {
68 FDrive *cur_drv;
69- int pos;
70+ uint32_t pos;
71
72 /* Reset mode */
73 if (!(fdctrl->dor & FD_DOR_nRESET)) {
74@@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
75 }
76
77 FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
78- fdctrl->fifo[fdctrl->data_pos++] = value;
79+ pos = fdctrl->data_pos++;
80+ pos %= FD_SECTOR_LEN;
81+ fdctrl->fifo[pos] = value;
82 if (fdctrl->data_pos == fdctrl->data_len) {
83 /* We now have all parameters
84 * and will be able to treat the command
85--
861.9.1
87
diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch
new file mode 100644
index 0000000000..ef70c16423
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch
@@ -0,0 +1,53 @@
1From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001
2From: Laszlo Ersek <lersek@redhat.com>
3Date: Tue, 22 Jul 2014 17:26:41 +0200
4Subject: [PATCH] vmstate_xhci_event: fix unterminated field list
5
6"vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live
7migration support"), and first released in v1.6.0. The field list in this
8VMSD is not terminated with the VMSTATE_END_OF_LIST() macro.
9
10During normal use (ie. migration), the issue is practically invisible,
11because the "vmstate_xhci_event" object (with the unterminated field list)
12is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full()
13returns true, for the "ev_buffer" test. Since that field_exists() check
14(apparently) almost always returns false, we almost never traverse
15"vmstate_xhci_event" during migration, which hides the bug.
16
17However, Amit's vmstate checker forces recursion into this VMSD as well,
18and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator
19check (field->name != NULL) in dump_vmstate_vmsd(). The result is
20undefined behavior, which in my case translates to infinite recursion
21(because the loop happens to overflow into "vmstate_xhci_intr", which then
22links back to "vmstate_xhci_event").
23
24Add the missing terminator.
25
26Fixes CVE-2014-5263.
27Upstream-Status: Backport
28
29Signed-off-by: Laszlo Ersek <lersek@redhat.com>
30Reviewed-by: Amit Shah <amit.shah@redhat.com>
31Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
32Cc: qemu-stable@nongnu.org
33Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
34Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
35---
36 hw/usb/hcd-xhci.c | 1 +
37 1 file changed, 1 insertion(+)
38
39diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
40index 835f65e..745617e 100644
41--- a/hw/usb/hcd-xhci.c
42+++ b/hw/usb/hcd-xhci.c
43@@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = {
44 VMSTATE_UINT32(flags, XHCIEvent),
45 VMSTATE_UINT8(slotid, XHCIEvent),
46 VMSTATE_UINT8(epid, XHCIEvent),
47+ VMSTATE_END_OF_LIST()
48 }
49 };
50
51--
521.9.1
53
diff --git a/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch b/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch
new file mode 100644
index 0000000000..74cf8465ce
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch
@@ -0,0 +1,41 @@
1From 56b6131a153668bbb77e1b9b7e86379c41f8fdf9 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Mon, 6 Oct 2014 11:42:34 +0200
4Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel
5
6Quick & easy stopgap for CVE-2014-3689: We just compile out the
7hardware acceleration functions which lack sanity checks. Thankfully
8we have capability bits for them (SVGA_CAP_RECT_COPY and
9SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.
10
11Subsequent patches will add the missing checks and re-enable the
12hardware acceleration emulation.
13
14Upstream-Status: Backport
15
16Cc: qemu-stable@nongnu.org
17Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
18Reviewed-by: Don Koch <dkoch@verizon.com>
19Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
20---
21 hw/display/vmware_vga.c | 2 ++
22 1 file changed, 2 insertions(+)
23
24diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
25index a6a8cdc..113ce1f 100644
26--- a/hw/display/vmware_vga.c
27+++ b/hw/display/vmware_vga.c
28@@ -27,8 +27,10 @@
29 #include "hw/pci/pci.h"
30
31 #undef VERBOSE
32+#if 0
33 #define HW_RECT_ACCEL
34 #define HW_FILL_ACCEL
35+#endif
36 #define HW_MOUSE_ACCEL
37
38 #include "vga_int.h"
39--
401.9.1
41
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
new file mode 100644
index 0000000000..cf90984f6a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
@@ -0,0 +1,51 @@
1From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001
2From: Petr Matousek <pmatouse@redhat.com>
3Date: Mon, 27 Oct 2014 12:41:44 +0100
4Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
5
6bits_per_pixel that are less than 8 could result in accessing
7non-initialized buffers later in the code due to the expectation
8that bytes_per_pixel value that is used to initialize these buffers is
9never zero.
10
11To fix this check that bits_per_pixel from the client is one of the
12values that the rfb protocol specification allows.
13
14This is CVE-2014-7815.
15
16Upstream-Status: Backport
17
18Signed-off-by: Petr Matousek <pmatouse@redhat.com>
19
20[ kraxel: apply codestyle fix ]
21
22Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
23Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
24---
25 ui/vnc.c | 10 ++++++++++
26 1 file changed, 10 insertions(+)
27
28diff --git a/ui/vnc.c b/ui/vnc.c
29index 0fe6eff..8bca597 100644
30--- a/ui/vnc.c
31+++ b/ui/vnc.c
32@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
33 return;
34 }
35
36+ switch (bits_per_pixel) {
37+ case 8:
38+ case 16:
39+ case 32:
40+ break;
41+ default:
42+ vnc_client_error(vs);
43+ return;
44+ }
45+
46 vs->client_pf.rmax = red_max;
47 vs->client_pf.rbits = hweight_long(red_max);
48 vs->client_pf.rshift = red_shift;
49--
501.9.1
51
diff --git a/meta/recipes-devtools/qemu/qemu_1.7.2.bb b/meta/recipes-devtools/qemu/qemu_1.7.2.bb
index 60a7937219..c3c6d3652d 100644
--- a/meta/recipes-devtools/qemu/qemu_1.7.2.bb
+++ b/meta/recipes-devtools/qemu/qemu_1.7.2.bb
@@ -7,7 +7,11 @@ SRC_URI += "file://fxrstorssefix.patch \
7 file://qemu-enlarge-env-entry-size.patch \ 7 file://qemu-enlarge-env-entry-size.patch \
8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ 8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
9 file://ide-CVE-2014-2894.patch \ 9 file://ide-CVE-2014-2894.patch \
10 file://slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch" 10 file://slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch \
11 file://vmware-vga-CVE-2014-3689.patch \
12 file://vmstate_xhci_event-CVE-2014-5263.patch \
13 file://vnc-CVE-2014-7815.patch \
14 file://fdc-CVE-2015-3456.patch"
11 15
12SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" 16SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2"
13SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43" 17SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43"