qemu: fix CVE-2015-3456

Backport patch to fix qemuc CVE issue CVE-2015-3456. Refs: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c (From OE-Core rev: 1d9e6ef173bea8181fabc6abf0dbb53990b15fd8) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2015-05-26 15:14:43 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-05-29 10:17:15 +0100
commit: 5a2d9852868986b6cd5af49ab24d54bf90a74da3 (patch)
tree: 70686d3aaa02d406933222480df3e4701a83bb65 /meta
parent: 2efd475a98602758c98290263d17a8ac55d32a39 (diff)
download: poky-5a2d9852868986b6cd5af49ab24d54bf90a74da3.tar.gz
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
new file mode 100644
index 0000000000..f05441fce6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
@@ -0,0 +1,92 @@
+qemu: CVE-2015-3456
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
+http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
+fdc: force the fifo access to be in bounds of the allocated buffer
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+This is CVE-2015-3456.
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Li Wang <li.wang@windriver.com>
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ hw/block/fdc.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 490d127..045459e 100644
+--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
+@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
+    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
+    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
+    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+    pos = fdctrl->data_pos - 1;
+    pos %= FD_SECTOR_LEN;
+    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
+    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
+    pos = fdctrl->data_pos++;
+    pos %= FD_SECTOR_LEN;
+    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+-- 
+1.7.9.5
diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
index 25c5e4d539..4782941f52 100644
--- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
 SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://qemu-enlarge-env-entry-size.patch \
            file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
+            file://qemu-CVE-2015-3456.patch \
            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221"
author	Kai Kang <kai.kang@windriver.com>	2015-05-26 15:14:43 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-05-29 10:17:15 +0100
commit	5a2d9852868986b6cd5af49ab24d54bf90a74da3 (patch)
tree	70686d3aaa02d406933222480df3e4701a83bb65 /meta
parent	2efd475a98602758c98290263d17a8ac55d32a39 (diff)
download	poky-5a2d9852868986b6cd5af49ab24d54bf90a74da3.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch new file mode 100644 index 0000000000..f05441fce6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
@@ -0,0 +1,92 @@
		1	qemu: CVE-2015-3456
		2
		3	the patch comes from:
		4	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
		5	http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
		6
		7	fdc: force the fifo access to be in bounds of the allocated buffer
		8
		9	During processing of certain commands such as FD_CMD_READ_ID and
		10	FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
		11	get out of bounds leading to memory corruption with values coming
		12	from the guest.
		13
		14	Fix this by making sure that the index is always bounded by the
		15	allocated memory.
		16
		17	This is CVE-2015-3456.
		18
		19	Signed-off-by: Petr Matousek <pmatouse@redhat.com>
		20	Reviewed-by: John Snow <jsnow@redhat.com>
		21	Signed-off-by: John Snow <jsnow@redhat.com>
		22	Signed-off-by: Li Wang <li.wang@windriver.com>
		23
		24	Upstream-Status: Backport
		25
		26	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		27	---
		28	hw/block/fdc.c \| 17 +++++++++++------
		29	1 file changed, 11 insertions(+), 6 deletions(-)
		30
		31	diff --git a/hw/block/fdc.c b/hw/block/fdc.c
		32	index 490d127..045459e 100644
		33	--- a/hw/block/fdc.c
		34	+++ b/hw/block/fdc.c
		35	@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
		36	{
		37	FDrive *cur_drv;
		38	uint32_t retval = 0;
		39	- int pos;
		40	+ uint32_t pos;
		41
		42	cur_drv = get_cur_drv(fdctrl);
		43	fdctrl->dsr &= ~FD_DSR_PWRDOWN;
		44	@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
		45	return 0;
		46	}
		47	pos = fdctrl->data_pos;
		48	+ pos %= FD_SECTOR_LEN;
		49	if (fdctrl->msr & FD_MSR_NONDMA) {
		50	- pos %= FD_SECTOR_LEN;
		51	if (pos == 0) {
		52	if (fdctrl->data_pos != 0)
		53	if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
		54	@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
		55	static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
		56	{
		57	FDrive *cur_drv = get_cur_drv(fdctrl);
		58	+ uint32_t pos;
		59
		60	- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
		61	+ pos = fdctrl->data_pos - 1;
		62	+ pos %= FD_SECTOR_LEN;
		63	+ if (fdctrl->fifo[pos] & 0x80) {
		64	/* Command parameters done */
		65	- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
		66	+ if (fdctrl->fifo[pos] & 0x40) {
		67	fdctrl->fifo[0] = fdctrl->fifo[1];
		68	fdctrl->fifo[2] = 0;
		69	fdctrl->fifo[3] = 0;
		70	@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
		71	static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
		72	{
		73	FDrive *cur_drv;
		74	- int pos;
		75	+ uint32_t pos;
		76
		77	/* Reset mode */
		78	if (!(fdctrl->dor & FD_DOR_nRESET)) {
		79	@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
		80	}
		81
		82	FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
		83	- fdctrl->fifo[fdctrl->data_pos++] = value;
		84	+ pos = fdctrl->data_pos++;
		85	+ pos %= FD_SECTOR_LEN;
		86	+ fdctrl->fifo[pos] = value;
		87	if (fdctrl->data_pos == fdctrl->data_len) {
		88	/* We now have all parameters
		89	* and will be able to treat the command
		90	--
		91	1.7.9.5
		92


diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb index 25c5e4d539..4782941f52 100644 --- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
6	SRC_URI += "file://configure-fix-Darwin-target-detection.patch \	6	SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
7	file://qemu-enlarge-env-entry-size.patch \	7	file://qemu-enlarge-env-entry-size.patch \
8	file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \	8	file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
		9	file://qemu-CVE-2015-3456.patch \
9	"	10	"
10	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	11	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
11	SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221"	12	SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221"