diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:29:37 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:29:37 +0200 |
commit | c190b396d5d2b0ce2caabf7366f3b08546187f11 (patch) | |
tree | 5a0748d0fe6581dd4c8eaf9dbdefe498bf9a0e64 /meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch | |
parent | e8be346c3a210a1b4da8b6943c5fe2e5556d29b9 (diff) | |
download | poky-c190b396d5d2b0ce2caabf7366f3b08546187f11.tar.gz |
qemu: fixed multiple CVEs
CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access
CVE-2014-5263, missing field list terminator in vmstate_xhci_event
CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle
functions
CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch new file mode 100644 index 0000000000..751949dcb4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 46aa72e4466d3a58dcea2c8b3cce48c053cd108f Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Wed, 6 May 2015 09:48:59 +0200 | ||
4 | Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated | ||
5 | buffer | ||
6 | |||
7 | During processing of certain commands such as FD_CMD_READ_ID and | ||
8 | FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could | ||
9 | get out of bounds leading to memory corruption with values coming | ||
10 | from the guest. | ||
11 | |||
12 | Fix this by making sure that the index is always bounded by the | ||
13 | allocated memory. | ||
14 | |||
15 | This is CVE-2015-3456. | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
20 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | hw/block/fdc.c | 17 +++++++++++------ | ||
24 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
25 | |||
26 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
27 | index c5a6c21..2552fb1 100644 | ||
28 | --- a/hw/block/fdc.c | ||
29 | +++ b/hw/block/fdc.c | ||
30 | @@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
31 | { | ||
32 | FDrive *cur_drv; | ||
33 | uint32_t retval = 0; | ||
34 | - int pos; | ||
35 | + uint32_t pos; | ||
36 | |||
37 | cur_drv = get_cur_drv(fdctrl); | ||
38 | fdctrl->dsr &= ~FD_DSR_PWRDOWN; | ||
39 | @@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
40 | return 0; | ||
41 | } | ||
42 | pos = fdctrl->data_pos; | ||
43 | + pos %= FD_SECTOR_LEN; | ||
44 | if (fdctrl->msr & FD_MSR_NONDMA) { | ||
45 | - pos %= FD_SECTOR_LEN; | ||
46 | if (pos == 0) { | ||
47 | if (fdctrl->data_pos != 0) | ||
48 | if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { | ||
49 | @@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) | ||
50 | static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) | ||
51 | { | ||
52 | FDrive *cur_drv = get_cur_drv(fdctrl); | ||
53 | + uint32_t pos; | ||
54 | |||
55 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { | ||
56 | + pos = fdctrl->data_pos - 1; | ||
57 | + pos %= FD_SECTOR_LEN; | ||
58 | + if (fdctrl->fifo[pos] & 0x80) { | ||
59 | /* Command parameters done */ | ||
60 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { | ||
61 | + if (fdctrl->fifo[pos] & 0x40) { | ||
62 | fdctrl->fifo[0] = fdctrl->fifo[1]; | ||
63 | fdctrl->fifo[2] = 0; | ||
64 | fdctrl->fifo[3] = 0; | ||
65 | @@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256]; | ||
66 | static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
67 | { | ||
68 | FDrive *cur_drv; | ||
69 | - int pos; | ||
70 | + uint32_t pos; | ||
71 | |||
72 | /* Reset mode */ | ||
73 | if (!(fdctrl->dor & FD_DOR_nRESET)) { | ||
74 | @@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
75 | } | ||
76 | |||
77 | FLOPPY_DPRINTF("%s: %02x\n", __func__, value); | ||
78 | - fdctrl->fifo[fdctrl->data_pos++] = value; | ||
79 | + pos = fdctrl->data_pos++; | ||
80 | + pos %= FD_SECTOR_LEN; | ||
81 | + fdctrl->fifo[pos] = value; | ||
82 | if (fdctrl->data_pos == fdctrl->data_len) { | ||
83 | /* We now have all parameters | ||
84 | * and will be able to treat the command | ||
85 | -- | ||
86 | 1.9.1 | ||
87 | |||