summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2015-05-26 15:14:43 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-29 10:17:15 +0100
commit5a2d9852868986b6cd5af49ab24d54bf90a74da3 (patch)
tree70686d3aaa02d406933222480df3e4701a83bb65
parent2efd475a98602758c98290263d17a8ac55d32a39 (diff)
downloadpoky-5a2d9852868986b6cd5af49ab24d54bf90a74da3.tar.gz
qemu: fix CVE-2015-3456
Backport patch to fix qemuc CVE issue CVE-2015-3456. Refs: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c (From OE-Core rev: 1d9e6ef173bea8181fabc6abf0dbb53990b15fd8) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch92
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.3.0.bb1
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
new file mode 100644
index 0000000000..f05441fce6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
@@ -0,0 +1,92 @@
1qemu: CVE-2015-3456
2
3the patch comes from:
4https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
5http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
6
7fdc: force the fifo access to be in bounds of the allocated buffer
8
9During processing of certain commands such as FD_CMD_READ_ID and
10FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
11get out of bounds leading to memory corruption with values coming
12from the guest.
13
14Fix this by making sure that the index is always bounded by the
15allocated memory.
16
17This is CVE-2015-3456.
18
19Signed-off-by: Petr Matousek <pmatouse@redhat.com>
20Reviewed-by: John Snow <jsnow@redhat.com>
21Signed-off-by: John Snow <jsnow@redhat.com>
22Signed-off-by: Li Wang <li.wang@windriver.com>
23
24Upstream-Status: Backport
25
26Signed-off-by: Kai Kang <kai.kang@windriver.com>
27---
28 hw/block/fdc.c | 17 +++++++++++------
29 1 file changed, 11 insertions(+), 6 deletions(-)
30
31diff --git a/hw/block/fdc.c b/hw/block/fdc.c
32index 490d127..045459e 100644
33--- a/hw/block/fdc.c
34+++ b/hw/block/fdc.c
35@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
36 {
37 FDrive *cur_drv;
38 uint32_t retval = 0;
39- int pos;
40+ uint32_t pos;
41
42 cur_drv = get_cur_drv(fdctrl);
43 fdctrl->dsr &= ~FD_DSR_PWRDOWN;
44@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
45 return 0;
46 }
47 pos = fdctrl->data_pos;
48+ pos %= FD_SECTOR_LEN;
49 if (fdctrl->msr & FD_MSR_NONDMA) {
50- pos %= FD_SECTOR_LEN;
51 if (pos == 0) {
52 if (fdctrl->data_pos != 0)
53 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
54@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
55 static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
56 {
57 FDrive *cur_drv = get_cur_drv(fdctrl);
58+ uint32_t pos;
59
60- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
61+ pos = fdctrl->data_pos - 1;
62+ pos %= FD_SECTOR_LEN;
63+ if (fdctrl->fifo[pos] & 0x80) {
64 /* Command parameters done */
65- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
66+ if (fdctrl->fifo[pos] & 0x40) {
67 fdctrl->fifo[0] = fdctrl->fifo[1];
68 fdctrl->fifo[2] = 0;
69 fdctrl->fifo[3] = 0;
70@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
71 static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
72 {
73 FDrive *cur_drv;
74- int pos;
75+ uint32_t pos;
76
77 /* Reset mode */
78 if (!(fdctrl->dor & FD_DOR_nRESET)) {
79@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
80 }
81
82 FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
83- fdctrl->fifo[fdctrl->data_pos++] = value;
84+ pos = fdctrl->data_pos++;
85+ pos %= FD_SECTOR_LEN;
86+ fdctrl->fifo[pos] = value;
87 if (fdctrl->data_pos == fdctrl->data_len) {
88 /* We now have all parameters
89 * and will be able to treat the command
90--
911.7.9.5
92
diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
index 25c5e4d539..4782941f52 100644
--- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
6SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ 6SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
7 file://qemu-enlarge-env-entry-size.patch \ 7 file://qemu-enlarge-env-entry-size.patch \
8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ 8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
9 file://qemu-CVE-2015-3456.patch \
9 " 10 "
10SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 11SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
11SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221" 12SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221"