diff options
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch | 92 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.3.0.bb | 1 |
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch new file mode 100644 index 0000000000..f05441fce6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch @@ -0,0 +1,92 @@ +qemu: CVE-2015-3456 + +the patch comes from: +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 +http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c + +fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> +Signed-off-by: John Snow <jsnow@redhat.com> +Signed-off-by: Li Wang <li.wang@windriver.com> + +Upstream-Status: Backport + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 490d127..045459e 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +1.7.9.5 + diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb index 25c5e4d539..4782941f52 100644 --- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://qemu-enlarge-env-entry-size.patch \ file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ + file://qemu-CVE-2015-3456.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221" |