diff options
| author | nox <nox@FreeBSD.org> | 2015-05-17 18:09:36 +0800 |
|---|---|---|
| committer | nox <nox@FreeBSD.org> | 2015-05-17 18:09:36 +0800 |
| commit | f48d0b821ffba31632df3eb2e46d785854d40489 (patch) | |
| tree | bd581c5d54d5dc952ad2e19ed8c8926a92c739d1 /emulators | |
| parent | 3b9b11c6fb739edd9adb240189b01672cdf9b90e (diff) | |
| download | freebsd-ports-gnome-f48d0b821ffba31632df3eb2e46d785854d40489.tar.gz freebsd-ports-gnome-f48d0b821ffba31632df3eb2e46d785854d40489.tar.zst freebsd-ports-gnome-f48d0b821ffba31632df3eb2e46d785854d40489.zip | |
- Apply fixes for "BENOM" vulnerability - CVE-2015-3456 .
- Bump PORTREVISIONs.
PR: 200255
PR: 200256
PR: 200257
Submitted by: venture37@geeklan.co.uk
Obtained from: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
Security: http://vuxml.FreeBSD.org/freebsd/2780e442-fc59-11e4-b18b-6805ca1d3bb1.html
Diffstat (limited to 'emulators')
| -rw-r--r-- | emulators/qemu-devel/Makefile | 1 | ||||
| -rw-r--r-- | emulators/qemu-devel/files/patch-CVE-2015-3456 | 84 | ||||
| -rw-r--r-- | emulators/qemu-sbruno/Makefile | 1 | ||||
| -rw-r--r-- | emulators/qemu-sbruno/files/patch-CVE-2015-3456 | 84 | ||||
| -rw-r--r-- | emulators/qemu/Makefile | 2 | ||||
| -rw-r--r-- | emulators/qemu/files/patch-CVE-2015-3456 | 44 |
6 files changed, 215 insertions, 1 deletions
diff --git a/emulators/qemu-devel/Makefile b/emulators/qemu-devel/Makefile index 9c5e969b996f..0653c220533a 100644 --- a/emulators/qemu-devel/Makefile +++ b/emulators/qemu-devel/Makefile @@ -3,6 +3,7 @@ PORTNAME= qemu PORTVERSION= 2.3.0 +PORTREVISION= 1 CATEGORIES= emulators MASTER_SITES= http://wiki.qemu.org/download/:release \ LOCAL/nox:snapshot diff --git a/emulators/qemu-devel/files/patch-CVE-2015-3456 b/emulators/qemu-devel/files/patch-CVE-2015-3456 new file mode 100644 index 000000000000..50c19d9f08fe --- /dev/null +++ b/emulators/qemu-devel/files/patch-CVE-2015-3456 @@ -0,0 +1,84 @@ +From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> +Signed-off-by: John Snow <jsnow@redhat.com> +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +1.7.0.4 + diff --git a/emulators/qemu-sbruno/Makefile b/emulators/qemu-sbruno/Makefile index f8d7f8e86f68..036f26e1d127 100644 --- a/emulators/qemu-sbruno/Makefile +++ b/emulators/qemu-sbruno/Makefile @@ -3,6 +3,7 @@ PORTNAME= qemu PORTVERSION= 2.3.50.g20150501 +PORTREVISION= 1 CATEGORIES= emulators MASTER_SITES= GH \ LOCAL/nox \ diff --git a/emulators/qemu-sbruno/files/patch-CVE-2015-3456 b/emulators/qemu-sbruno/files/patch-CVE-2015-3456 new file mode 100644 index 000000000000..50c19d9f08fe --- /dev/null +++ b/emulators/qemu-sbruno/files/patch-CVE-2015-3456 @@ -0,0 +1,84 @@ +From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> +Signed-off-by: John Snow <jsnow@redhat.com> +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +1.7.0.4 + diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile index 4d2856d43ec1..802cabd95c4a 100644 --- a/emulators/qemu/Makefile +++ b/emulators/qemu/Makefile @@ -3,7 +3,7 @@ PORTNAME= qemu PORTVERSION= 0.11.1 -PORTREVISION= 18 +PORTREVISION= 19 CATEGORIES= emulators MASTER_SITES= SAVANNAH \ http://bellard.org/qemu/ diff --git a/emulators/qemu/files/patch-CVE-2015-3456 b/emulators/qemu/files/patch-CVE-2015-3456 new file mode 100644 index 000000000000..3ea061ea2056 --- /dev/null +++ b/emulators/qemu/files/patch-CVE-2015-3456 @@ -0,0 +1,44 @@ +--- a/hw/fdc.c ++++ b/hw/fdc.c +@@ -1324,7 +1324,7 @@ static uint32_t fdctrl_read_data (fdctrl + { + fdrive_t *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1333,8 +1333,8 @@ static uint32_t fdctrl_read_data (fdctrl + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1680,8 +1680,11 @@ static void fdctrl_handle_option (fdctrl + static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) + { + fdrive_t *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; ++ ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; +- +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ + if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; +@@ -1778,7 +1782,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + { + fdrive_t *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { |