diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:29:37 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:29:37 +0200 |
commit | c190b396d5d2b0ce2caabf7366f3b08546187f11 (patch) | |
tree | 5a0748d0fe6581dd4c8eaf9dbdefe498bf9a0e64 /meta | |
parent | e8be346c3a210a1b4da8b6943c5fe2e5556d29b9 (diff) | |
download | poky-c190b396d5d2b0ce2caabf7366f3b08546187f11.tar.gz |
qemu: fixed multiple CVEs
CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access
CVE-2014-5263, missing field list terminator in vmstate_xhci_event
CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle
functions
CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta')
5 files changed, 237 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch new file mode 100644 index 0000000000..751949dcb4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 46aa72e4466d3a58dcea2c8b3cce48c053cd108f Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Wed, 6 May 2015 09:48:59 +0200 | ||
4 | Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated | ||
5 | buffer | ||
6 | |||
7 | During processing of certain commands such as FD_CMD_READ_ID and | ||
8 | FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could | ||
9 | get out of bounds leading to memory corruption with values coming | ||
10 | from the guest. | ||
11 | |||
12 | Fix this by making sure that the index is always bounded by the | ||
13 | allocated memory. | ||
14 | |||
15 | This is CVE-2015-3456. | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
20 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | hw/block/fdc.c | 17 +++++++++++------ | ||
24 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
25 | |||
26 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
27 | index c5a6c21..2552fb1 100644 | ||
28 | --- a/hw/block/fdc.c | ||
29 | +++ b/hw/block/fdc.c | ||
30 | @@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
31 | { | ||
32 | FDrive *cur_drv; | ||
33 | uint32_t retval = 0; | ||
34 | - int pos; | ||
35 | + uint32_t pos; | ||
36 | |||
37 | cur_drv = get_cur_drv(fdctrl); | ||
38 | fdctrl->dsr &= ~FD_DSR_PWRDOWN; | ||
39 | @@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
40 | return 0; | ||
41 | } | ||
42 | pos = fdctrl->data_pos; | ||
43 | + pos %= FD_SECTOR_LEN; | ||
44 | if (fdctrl->msr & FD_MSR_NONDMA) { | ||
45 | - pos %= FD_SECTOR_LEN; | ||
46 | if (pos == 0) { | ||
47 | if (fdctrl->data_pos != 0) | ||
48 | if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { | ||
49 | @@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) | ||
50 | static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) | ||
51 | { | ||
52 | FDrive *cur_drv = get_cur_drv(fdctrl); | ||
53 | + uint32_t pos; | ||
54 | |||
55 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { | ||
56 | + pos = fdctrl->data_pos - 1; | ||
57 | + pos %= FD_SECTOR_LEN; | ||
58 | + if (fdctrl->fifo[pos] & 0x80) { | ||
59 | /* Command parameters done */ | ||
60 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { | ||
61 | + if (fdctrl->fifo[pos] & 0x40) { | ||
62 | fdctrl->fifo[0] = fdctrl->fifo[1]; | ||
63 | fdctrl->fifo[2] = 0; | ||
64 | fdctrl->fifo[3] = 0; | ||
65 | @@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256]; | ||
66 | static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
67 | { | ||
68 | FDrive *cur_drv; | ||
69 | - int pos; | ||
70 | + uint32_t pos; | ||
71 | |||
72 | /* Reset mode */ | ||
73 | if (!(fdctrl->dor & FD_DOR_nRESET)) { | ||
74 | @@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
75 | } | ||
76 | |||
77 | FLOPPY_DPRINTF("%s: %02x\n", __func__, value); | ||
78 | - fdctrl->fifo[fdctrl->data_pos++] = value; | ||
79 | + pos = fdctrl->data_pos++; | ||
80 | + pos %= FD_SECTOR_LEN; | ||
81 | + fdctrl->fifo[pos] = value; | ||
82 | if (fdctrl->data_pos == fdctrl->data_len) { | ||
83 | /* We now have all parameters | ||
84 | * and will be able to treat the command | ||
85 | -- | ||
86 | 1.9.1 | ||
87 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch new file mode 100644 index 0000000000..ef70c16423 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001 | ||
2 | From: Laszlo Ersek <lersek@redhat.com> | ||
3 | Date: Tue, 22 Jul 2014 17:26:41 +0200 | ||
4 | Subject: [PATCH] vmstate_xhci_event: fix unterminated field list | ||
5 | |||
6 | "vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live | ||
7 | migration support"), and first released in v1.6.0. The field list in this | ||
8 | VMSD is not terminated with the VMSTATE_END_OF_LIST() macro. | ||
9 | |||
10 | During normal use (ie. migration), the issue is practically invisible, | ||
11 | because the "vmstate_xhci_event" object (with the unterminated field list) | ||
12 | is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full() | ||
13 | returns true, for the "ev_buffer" test. Since that field_exists() check | ||
14 | (apparently) almost always returns false, we almost never traverse | ||
15 | "vmstate_xhci_event" during migration, which hides the bug. | ||
16 | |||
17 | However, Amit's vmstate checker forces recursion into this VMSD as well, | ||
18 | and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator | ||
19 | check (field->name != NULL) in dump_vmstate_vmsd(). The result is | ||
20 | undefined behavior, which in my case translates to infinite recursion | ||
21 | (because the loop happens to overflow into "vmstate_xhci_intr", which then | ||
22 | links back to "vmstate_xhci_event"). | ||
23 | |||
24 | Add the missing terminator. | ||
25 | |||
26 | Fixes CVE-2014-5263. | ||
27 | Upstream-Status: Backport | ||
28 | |||
29 | Signed-off-by: Laszlo Ersek <lersek@redhat.com> | ||
30 | Reviewed-by: Amit Shah <amit.shah@redhat.com> | ||
31 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
32 | Cc: qemu-stable@nongnu.org | ||
33 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
34 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
35 | --- | ||
36 | hw/usb/hcd-xhci.c | 1 + | ||
37 | 1 file changed, 1 insertion(+) | ||
38 | |||
39 | diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c | ||
40 | index 835f65e..745617e 100644 | ||
41 | --- a/hw/usb/hcd-xhci.c | ||
42 | +++ b/hw/usb/hcd-xhci.c | ||
43 | @@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = { | ||
44 | VMSTATE_UINT32(flags, XHCIEvent), | ||
45 | VMSTATE_UINT8(slotid, XHCIEvent), | ||
46 | VMSTATE_UINT8(epid, XHCIEvent), | ||
47 | + VMSTATE_END_OF_LIST() | ||
48 | } | ||
49 | }; | ||
50 | |||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch b/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch new file mode 100644 index 0000000000..74cf8465ce --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 56b6131a153668bbb77e1b9b7e86379c41f8fdf9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Mon, 6 Oct 2014 11:42:34 +0200 | ||
4 | Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel | ||
5 | |||
6 | Quick & easy stopgap for CVE-2014-3689: We just compile out the | ||
7 | hardware acceleration functions which lack sanity checks. Thankfully | ||
8 | we have capability bits for them (SVGA_CAP_RECT_COPY and | ||
9 | SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory. | ||
10 | |||
11 | Subsequent patches will add the missing checks and re-enable the | ||
12 | hardware acceleration emulation. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Cc: qemu-stable@nongnu.org | ||
17 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
18 | Reviewed-by: Don Koch <dkoch@verizon.com> | ||
19 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
20 | --- | ||
21 | hw/display/vmware_vga.c | 2 ++ | ||
22 | 1 file changed, 2 insertions(+) | ||
23 | |||
24 | diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c | ||
25 | index a6a8cdc..113ce1f 100644 | ||
26 | --- a/hw/display/vmware_vga.c | ||
27 | +++ b/hw/display/vmware_vga.c | ||
28 | @@ -27,8 +27,10 @@ | ||
29 | #include "hw/pci/pci.h" | ||
30 | |||
31 | #undef VERBOSE | ||
32 | +#if 0 | ||
33 | #define HW_RECT_ACCEL | ||
34 | #define HW_FILL_ACCEL | ||
35 | +#endif | ||
36 | #define HW_MOUSE_ACCEL | ||
37 | |||
38 | #include "vga_int.h" | ||
39 | -- | ||
40 | 1.9.1 | ||
41 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch new file mode 100644 index 0000000000..cf90984f6a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Mon, 27 Oct 2014 12:41:44 +0100 | ||
4 | Subject: [PATCH] vnc: sanitize bits_per_pixel from the client | ||
5 | |||
6 | bits_per_pixel that are less than 8 could result in accessing | ||
7 | non-initialized buffers later in the code due to the expectation | ||
8 | that bytes_per_pixel value that is used to initialize these buffers is | ||
9 | never zero. | ||
10 | |||
11 | To fix this check that bits_per_pixel from the client is one of the | ||
12 | values that the rfb protocol specification allows. | ||
13 | |||
14 | This is CVE-2014-7815. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | |||
20 | [ kraxel: apply codestyle fix ] | ||
21 | |||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
24 | --- | ||
25 | ui/vnc.c | 10 ++++++++++ | ||
26 | 1 file changed, 10 insertions(+) | ||
27 | |||
28 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
29 | index 0fe6eff..8bca597 100644 | ||
30 | --- a/ui/vnc.c | ||
31 | +++ b/ui/vnc.c | ||
32 | @@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, | ||
33 | return; | ||
34 | } | ||
35 | |||
36 | + switch (bits_per_pixel) { | ||
37 | + case 8: | ||
38 | + case 16: | ||
39 | + case 32: | ||
40 | + break; | ||
41 | + default: | ||
42 | + vnc_client_error(vs); | ||
43 | + return; | ||
44 | + } | ||
45 | + | ||
46 | vs->client_pf.rmax = red_max; | ||
47 | vs->client_pf.rbits = hweight_long(red_max); | ||
48 | vs->client_pf.rshift = red_shift; | ||
49 | -- | ||
50 | 1.9.1 | ||
51 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_1.7.2.bb b/meta/recipes-devtools/qemu/qemu_1.7.2.bb index 60a7937219..c3c6d3652d 100644 --- a/meta/recipes-devtools/qemu/qemu_1.7.2.bb +++ b/meta/recipes-devtools/qemu/qemu_1.7.2.bb | |||
@@ -7,7 +7,11 @@ SRC_URI += "file://fxrstorssefix.patch \ | |||
7 | file://qemu-enlarge-env-entry-size.patch \ | 7 | file://qemu-enlarge-env-entry-size.patch \ |
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ | 8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ |
9 | file://ide-CVE-2014-2894.patch \ | 9 | file://ide-CVE-2014-2894.patch \ |
10 | file://slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch" | 10 | file://slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch \ |
11 | file://vmware-vga-CVE-2014-3689.patch \ | ||
12 | file://vmstate_xhci_event-CVE-2014-5263.patch \ | ||
13 | file://vnc-CVE-2014-7815.patch \ | ||
14 | file://fdc-CVE-2015-3456.patch" | ||
11 | 15 | ||
12 | SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" | 16 | SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" |
13 | SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43" | 17 | SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43" |