diff options
author | Mark H Weaver <mhw@netris.org> | 2015-05-14 19:01:26 -0400 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2015-05-14 19:36:19 -0400 |
commit | f6708fcdb2b6977e0a2a7449aa917dc373545455 (patch) | |
tree | e65d5f54b6c4ca4fcbeb29d02378644ac994864e | |
parent | 3736a110bd60e2453dc51e405d36fed51d4cb9b2 (diff) | |
download | patches-f6708fcdb2b6977e0a2a7449aa917dc373545455.tar patches-f6708fcdb2b6977e0a2a7449aa917dc373545455.tar.gz |
gnu: qemu: Update to 2.3.0; add fix for CVE-2015-3456.
* gnu/packages/patches/qemu-CVE-2015-3456.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/qemu.scm (qemu-headless): Update to 2.3.0. Add patch.
-rw-r--r-- | gnu-system.am | 1 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2015-3456.patch | 85 | ||||
-rw-r--r-- | gnu/packages/qemu.scm | 6 |
3 files changed, 90 insertions, 2 deletions
diff --git a/gnu-system.am b/gnu-system.am index e25eae59fe..5ba48d15d2 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -536,6 +536,7 @@ dist_patch_DATA = \ gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \ gnu/packages/patches/python2-sqlite-3.8.4-test-fix.patch \ gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ + gnu/packages/patches/qemu-CVE-2015-3456.patch \ gnu/packages/patches/qt4-ldflags.patch \ gnu/packages/patches/qt4-tests.patch \ gnu/packages/patches/qt5-conflicting-typedefs.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2015-3456.patch b/gnu/packages/patches/qemu-CVE-2015-3456.patch new file mode 100644 index 0000000000..9514f7c3e5 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-3456.patch @@ -0,0 +1,85 @@ +From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated + buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> +Signed-off-by: John Snow <jsnow@redhat.com> +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +2.2.1 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 77aeecf40c..e9a2c08743 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -42,14 +43,15 @@ ;; This is QEMU without GUI support. (package (name "qemu-headless") - (version "2.2.0") + (version "2.3.0") (source (origin (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qemu-" version ".tar.bz2")) (sha256 (base32 - "1703c3scl5n07gmpilg7g2xzyxnr7jczxgx6nn4m8kv9gin9p35n")))) + "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn")) + (patches (list (search-patch "qemu-CVE-2015-3456.patch"))))) (build-system gnu-build-system) (arguments '(#:phases (alist-replace |