diff options
author | Kai Kang <kai.kang@windriver.com> | 2015-05-26 15:14:43 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-05-29 10:17:15 +0100 |
commit | 5a2d9852868986b6cd5af49ab24d54bf90a74da3 (patch) | |
tree | 70686d3aaa02d406933222480df3e4701a83bb65 | |
parent | 2efd475a98602758c98290263d17a8ac55d32a39 (diff) | |
download | poky-5a2d9852868986b6cd5af49ab24d54bf90a74da3.tar.gz |
qemu: fix CVE-2015-3456
Backport patch to fix qemuc CVE issue CVE-2015-3456.
Refs:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
(From OE-Core rev: 1d9e6ef173bea8181fabc6abf0dbb53990b15fd8)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch | 92 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.3.0.bb | 1 |
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch new file mode 100644 index 0000000000..f05441fce6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | qemu: CVE-2015-3456 | ||
2 | |||
3 | the patch comes from: | ||
4 | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 | ||
5 | http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c | ||
6 | |||
7 | fdc: force the fifo access to be in bounds of the allocated buffer | ||
8 | |||
9 | During processing of certain commands such as FD_CMD_READ_ID and | ||
10 | FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could | ||
11 | get out of bounds leading to memory corruption with values coming | ||
12 | from the guest. | ||
13 | |||
14 | Fix this by making sure that the index is always bounded by the | ||
15 | allocated memory. | ||
16 | |||
17 | This is CVE-2015-3456. | ||
18 | |||
19 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
20 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
21 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
22 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | |||
26 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
27 | --- | ||
28 | hw/block/fdc.c | 17 +++++++++++------ | ||
29 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
30 | |||
31 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
32 | index 490d127..045459e 100644 | ||
33 | --- a/hw/block/fdc.c | ||
34 | +++ b/hw/block/fdc.c | ||
35 | @@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
36 | { | ||
37 | FDrive *cur_drv; | ||
38 | uint32_t retval = 0; | ||
39 | - int pos; | ||
40 | + uint32_t pos; | ||
41 | |||
42 | cur_drv = get_cur_drv(fdctrl); | ||
43 | fdctrl->dsr &= ~FD_DSR_PWRDOWN; | ||
44 | @@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
45 | return 0; | ||
46 | } | ||
47 | pos = fdctrl->data_pos; | ||
48 | + pos %= FD_SECTOR_LEN; | ||
49 | if (fdctrl->msr & FD_MSR_NONDMA) { | ||
50 | - pos %= FD_SECTOR_LEN; | ||
51 | if (pos == 0) { | ||
52 | if (fdctrl->data_pos != 0) | ||
53 | if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { | ||
54 | @@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) | ||
55 | static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) | ||
56 | { | ||
57 | FDrive *cur_drv = get_cur_drv(fdctrl); | ||
58 | + uint32_t pos; | ||
59 | |||
60 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { | ||
61 | + pos = fdctrl->data_pos - 1; | ||
62 | + pos %= FD_SECTOR_LEN; | ||
63 | + if (fdctrl->fifo[pos] & 0x80) { | ||
64 | /* Command parameters done */ | ||
65 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { | ||
66 | + if (fdctrl->fifo[pos] & 0x40) { | ||
67 | fdctrl->fifo[0] = fdctrl->fifo[1]; | ||
68 | fdctrl->fifo[2] = 0; | ||
69 | fdctrl->fifo[3] = 0; | ||
70 | @@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256]; | ||
71 | static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
72 | { | ||
73 | FDrive *cur_drv; | ||
74 | - int pos; | ||
75 | + uint32_t pos; | ||
76 | |||
77 | /* Reset mode */ | ||
78 | if (!(fdctrl->dor & FD_DOR_nRESET)) { | ||
79 | @@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
80 | } | ||
81 | |||
82 | FLOPPY_DPRINTF("%s: %02x\n", __func__, value); | ||
83 | - fdctrl->fifo[fdctrl->data_pos++] = value; | ||
84 | + pos = fdctrl->data_pos++; | ||
85 | + pos %= FD_SECTOR_LEN; | ||
86 | + fdctrl->fifo[pos] = value; | ||
87 | if (fdctrl->data_pos == fdctrl->data_len) { | ||
88 | /* We now have all parameters | ||
89 | * and will be able to treat the command | ||
90 | -- | ||
91 | 1.7.9.5 | ||
92 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb index 25c5e4d539..4782941f52 100644 --- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb | |||
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ | |||
6 | SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | 6 | SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ |
7 | file://qemu-enlarge-env-entry-size.patch \ | 7 | file://qemu-enlarge-env-entry-size.patch \ |
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ | 8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ |
9 | file://qemu-CVE-2015-3456.patch \ | ||
9 | " | 10 | " |
10 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 11 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
11 | SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221" | 12 | SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221" |