summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-05-02 07:33:27 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-05-03 14:06:28 (GMT)
commit9c5b66788d746491a471bed3c7c7333862f95ea7 (patch)
treef70147af4dc6498356385a5e91f047fb977de6ec
parent3e666afc648543a2dd73c577569e34d0d8d996ff (diff)
downloadpoky-9c5b66788d746491a471bed3c7c7333862f95ea7.tar.gz
qemu: ide: CVE-2015-6855
Fixes divide by zero issue. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6855 Reference to upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=63d761388d6fea994ca498c6e7a210851a99ad93 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/qemu/ide-CVE-2015-6855.patch150
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.4.0.bb1
2 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/ide-CVE-2015-6855.patch b/meta/recipes-devtools/qemu/qemu/ide-CVE-2015-6855.patch
new file mode 100644
index 0000000..4f3fc81
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/ide-CVE-2015-6855.patch
@@ -0,0 +1,150 @@
1From 63d761388d6fea994ca498c6e7a210851a99ad93 Mon Sep 17 00:00:00 2001
2From: John Snow <jsnow@redhat.com>
3Date: Thu, 17 Sep 2015 14:17:05 -0400
4Subject: ide: fix ATAPI command permissions
5
6We're a little too lenient with what we'll let an ATAPI drive handle.
7Clamp down on the IDE command execution table to remove CD_OK permissions
8from commands that are not and have never been ATAPI commands.
9
10For ATAPI command validity, please see:
11- ATA4 Section 6.5 ("PACKET Command feature set")
12- ATA8/ACS Section 4.3 ("The PACKET feature set")
13- ACS3 Section 4.3 ("The PACKET feature set")
14
15ACS3 has a historical command validity table in Table B.4
16("Historical Command Assignments") that can be referenced to find when
17a command was introduced, deprecated, obsoleted, etc.
18
19The only reference for ATAPI command validity is by checking that
20version's PACKET feature set section.
21
22ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
23therefore are assumed to have never been ATAPI commands.
24
25Mandatory commands, as listed in ATA8-ACS3, are:
26
27- DEVICE RESET
28- EXECUTE DEVICE DIAGNOSTIC
29- IDENTIFY DEVICE
30- IDENTIFY PACKET DEVICE
31- NOP
32- PACKET
33- READ SECTOR(S)
34- SET FEATURES
35
36Optional commands as listed in ATA8-ACS3, are:
37
38- FLUSH CACHE
39- READ LOG DMA EXT
40- READ LOG EXT
41- WRITE LOG DMA EXT
42- WRITE LOG EXT
43
44All other commands are illegal to send to an ATAPI device and should
45be rejected by the device.
46
47CD_OK removal justifications:
48
490x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
500x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
510x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
520x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
530x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
540x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
550x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
560x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
570xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
580xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
590xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
600xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
610xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
620xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
630xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
64
65This patch fixes a divide by zero fault that can be caused by sending
66the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
67attempt to use zeroed CHS values to perform sector arithmetic.
68
69CVE: CVE-2015-6855
70Upstream-Status: Backport
71
72Reported-by: Qinghao Tang <luodalongde@gmail.com>
73Signed-off-by: John Snow <jsnow@redhat.com>
74Reviewed-by: Markus Armbruster <armbru@redhat.com>
75Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
76CC: qemu-stable@nongnu.org
77(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a)
78Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
79Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
80---
81 hw/ide/core.c | 30 +++++++++++++++---------------
82 1 file changed, 15 insertions(+), 15 deletions(-)
83
84diff --git a/hw/ide/core.c b/hw/ide/core.c
85index 50449ca..71caea9 100644
86--- a/hw/ide/core.c
87+++ b/hw/ide/core.c
88@@ -1747,11 +1747,11 @@ static const struct {
89 } ide_cmd_table[0x100] = {
90 /* NOP not implemented, mandatory for CD */
91 [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
92- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
93+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
94 [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
95 [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
96 [WIN_READ] = { cmd_read_pio, ALL_OK },
97- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
98+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
99 [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
100 [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
101 [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
102@@ -1770,12 +1770,12 @@ static const struct {
103 [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
104 [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
105 [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
106- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
107- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
108- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
109- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
110- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
111- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
112+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
113+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
114+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
115+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
116+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
117+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
118 [WIN_PACKETCMD] = { cmd_packet, CD_OK },
119 [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
120 [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
121@@ -1789,19 +1789,19 @@ static const struct {
122 [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
123 [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
124 [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
125- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
126- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
127- [WIN_STANDBY] = { cmd_nop, ALL_OK },
128- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
129- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
130- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
131+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
132+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
133+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
134+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
135+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
136+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
137 [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
138 [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
139 [WIN_IDENTIFY] = { cmd_identify, ALL_OK },
140 [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
141 [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
142 [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
143- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
144+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
145 };
146
147 static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
148--
1491.9.1
150
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
index 6c8d1b7..9007b8c 100644
--- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -23,6 +23,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
23 file://vnc-CVE-2015-5225.patch \ 23 file://vnc-CVE-2015-5225.patch \
24 file://net-CVE-2015-5278.patch \ 24 file://net-CVE-2015-5278.patch \
25 file://net-CVE-2015-5279.patch \ 25 file://net-CVE-2015-5279.patch \
26 file://ide-CVE-2015-6855.patch \
26 " 27 "
27SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 28SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
28SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" 29SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"