myoung pushed to xen (f20). "Privilege escalation via emulated floppy disk drive"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed May 13 22:42:13 UTC 2015
From 66e96b96a60c49fe8234761cd414c55be04d3f77 Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young at durham.ac.uk>
Date: Wed, 13 May 2015 23:41:58 +0100
Subject: Privilege escalation via emulated floppy disk drive
diff --git a/xen.spec b/xen.spec
index eba73d9..508386f 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.3.4
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -112,6 +112,8 @@ Patch38: xsa126-qemuu-4.3.patch
Patch39: xsa126-qemut.patch
Patch40: xsa127-4.x.patch
Patch41: xsa132.patch
+Patch42: xsa133-qemut.patch
+Patch43: xsa133-qemuu-4.3-4.2.patch
Patch100: xen-configure-xend.patch
@@ -308,6 +310,8 @@ manage Xen virtual machines.
%patch39 -p1
%patch40 -p1
%patch41 -p1
+%patch42 -p1
+%patch43 -p1
%patch100 -p1
@@ -881,6 +885,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Wed May 13 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.4-4
+- Privilege escalation via emulated floppy disk drive [XSA-133,
+ CVE-2015-3456] (#1221153)
+
* Mon Apr 20 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.4-3
- Information leak through XEN_DOMCTL_gettscinfo [XSA-132,
CVE-2015-3340] (#1214037)
diff --git a/xsa133-qemut.patch b/xsa133-qemut.patch
new file mode 100644
index 0000000..6bf8951
--- /dev/null
+++ b/xsa133-qemut.patch
@@ -0,0 +1,80 @@
+From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse at redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse at redhat.com>
+Reviewed-by: John Snow <jsnow at redhat.com>
+---
+ tools/qemu-xen-traditional/hw/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/tools/qemu-xen-traditional/hw/fdc.c b/tools/qemu-xen-traditional/hw/fdc.c
+index b00a4ec..aba02e4 100644
+--- a/tools/qemu-xen-traditional/hw/fdc.c
++++ b/tools/qemu-xen-traditional/hw/fdc.c
+@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+ {
+ fdrive_t *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+ fdrive_t *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+ fdrive_t *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
diff --git a/xsa133-qemuu-4.3-4.2.patch b/xsa133-qemuu-4.3-4.2.patch
new file mode 100644
index 0000000..855f3a0
--- /dev/null
+++ b/xsa133-qemuu-4.3-4.2.patch
@@ -0,0 +1,84 @@
+From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse at redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse at redhat.com>
+Reviewed-by: John Snow <jsnow at redhat.com>
+---
+ tools/qemu-xen/hw/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/tools/qemu-xen/hw/fdc.c b/tools/qemu-xen/hw/fdc.c
+index f72a392..d8a8edd 100644
+--- a/tools/qemu-xen/hw/fdc.c
++++ b/tools/qemu-xen/hw/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--
+2.1.0
+
+
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/xen.git/commit/?h=f20&id=66e96b96a60c49fe8234761cd414c55be04d3f77
More information about the scm-commits
mailing list