crobinso pushed to qemu (f21). "CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed May 13 22:24:21 UTC 2015
From 0f98ce27803d5bfab2fc5dd96dc624d1affa2e42 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso at redhat.com>
Date: Wed, 13 May 2015 18:24:12 -0400
Subject: CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
(bz #1221152)
diff --git a/0017-block-Fix-max-nb_sectors-in-bdrv_make_zero.patch b/0017-block-Fix-max-nb_sectors-in-bdrv_make_zero.patch
index 6150722..ecb30d0 100644
--- a/0017-block-Fix-max-nb_sectors-in-bdrv_make_zero.patch
+++ b/0017-block-Fix-max-nb_sectors-in-bdrv_make_zero.patch
@@ -1,4 +1,3 @@
-From 619943278aa5b1f500d6f4b486b4581ed1f6143f Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz at redhat.com>
Date: Mon, 10 Nov 2014 15:07:44 +0800
Subject: [PATCH] block: Fix max nb_sectors in bdrv_make_zero
@@ -10,6 +9,7 @@ Signed-off-by: Fam Zheng <famz at redhat.com>
Reviewed-by: Markus Armbruster <armbru at redhat.com>
Message-id: 1415603264-21497-1-git-send-email-famz at redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+(cherry picked from commit f3a9cfddaec127078ac1898de6b063db8ac3bb48)
---
block.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
@@ -29,6 +29,3 @@ index ed87b7e..8dc841c 100644
}
ret = bdrv_get_block_status(bs, sector_num, nb_sectors, &n);
if (ret < 0) {
---
-2.3.5
-
diff --git a/0018-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch b/0018-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
new file mode 100644
index 0000000..0068934
--- /dev/null
+++ b/0018-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
@@ -0,0 +1,82 @@
+From: Petr Matousek <pmatouse at redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
+ buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse at redhat.com>
+Reviewed-by: John Snow <jsnow at redhat.com>
+Signed-off-by: John Snow <jsnow at redhat.com>
+(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 490d127..045459e 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
diff --git a/qemu.spec b/qemu.spec
index cdd4007..c30ac3f 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -152,7 +152,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.1.3
-Release: 6%{?dist}
+Release: 7%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -221,6 +221,9 @@ Patch0015: 0015-CVE-2015-1779-incrementally-decode-websocket-frames.patch
Patch0016: 0016-CVE-2015-1779-limit-size-of-HTTP-headers-from-websoc.patch
# Fix qemu-img error (bz #1200043)
Patch0017: 0017-block-Fix-max-nb_sectors-in-bdrv_make_zero.patch
+# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
+# (bz #1221152)
+Patch0018: 0018-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
BuildRequires: SDL2-devel
BuildRequires: zlib-devel
@@ -776,6 +779,9 @@ CAC emulation development files.
%patch0016 -p1
# Fix qemu-img error (bz #1200043)
%patch0017 -p1
+# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
+# (bz #1221152)
+%patch0018 -p1
%build
@@ -1556,6 +1562,10 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
+* Wed May 13 2015 Cole Robinson <crobinso at redhat.com> - 2:2.1.3-7
+- CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz
+ #1221152)
+
* Tue Apr 14 2015 Haïkel Guémar <hguemar at fedoraproject.org> - 2:2.1.3-6
- Reintroduce upstream patch fixing some qemu-img conversion errors (RHBZ#1200043)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/qemu.git/commit/?h=f21&id=0f98ce27803d5bfab2fc5dd96dc624d1affa2e42
More information about the scm-commits
mailing list