guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: qemu: Update to 2.3.0; add fix for CVE-2015-3456.

From: Mark H. Weaver
Subject: 01/01: gnu: qemu: Update to 2.3.0; add fix for CVE-2015-3456.
Date: Thu, 14 May 2015 23:36:26 +0000 
mhw pushed a commit to branch master
in repository guix.

commit f6708fcdb2b6977e0a2a7449aa917dc373545455
Author: Mark H Weaver <address@hidden>
Date:   Thu May 14 19:01:26 2015 -0400

    gnu: qemu: Update to 2.3.0; add fix for CVE-2015-3456.
    
    * gnu/packages/patches/qemu-CVE-2015-3456.patch: New file.
    * gnu-system.am (dist_patch_DATA): Add it.
    * gnu/packages/qemu.scm (qemu-headless): Update to 2.3.0.  Add patch.
---
 gnu-system.am                                 |    1 +
 gnu/packages/patches/qemu-CVE-2015-3456.patch |   85 +++++++++++++++++++++++++
 gnu/packages/qemu.scm                         |    6 +-
 3 files changed, 90 insertions(+), 2 deletions(-)

diff --git a/gnu-system.am b/gnu-system.am
index e25eae5..5ba48d1 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -536,6 +536,7 @@ dist_patch_DATA =                                           
\
   gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \
   gnu/packages/patches/python2-sqlite-3.8.4-test-fix.patch     \
   gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
+  gnu/packages/patches/qemu-CVE-2015-3456.patch                        \
   gnu/packages/patches/qt4-ldflags.patch                       \
   gnu/packages/patches/qt4-tests.patch                         \
   gnu/packages/patches/qt5-conflicting-typedefs.patch          \
diff --git a/gnu/packages/patches/qemu-CVE-2015-3456.patch 
b/gnu/packages/patches/qemu-CVE-2015-3456.patch
new file mode 100644
index 0000000..9514f7c
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2015-3456.patch
@@ -0,0 +1,85 @@
+From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <address@hidden>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
+ buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <address@hidden>
+Reviewed-by: John Snow <address@hidden>
+Signed-off-by: John Snow <address@hidden>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int 
direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int 
direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t 
value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+-- 
+2.2.1
+
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 77aeecf..e9a2c08 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014 Ludovic Courtès <address@hidden>
+;;; Copyright © 2015 Mark H Weaver <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -42,14 +43,15 @@
   ;; This is QEMU without GUI support.
   (package
     (name "qemu-headless")
-    (version "2.2.0")
+    (version "2.3.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://wiki.qemu-project.org/download/qemu-";
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "1703c3scl5n07gmpilg7g2xzyxnr7jczxgx6nn4m8kv9gin9p35n"))))
+               "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"))
+             (patches (list (search-patch "qemu-CVE-2015-3456.patch")))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases (alist-replace
reply via email to
[Prev in Thread] Current Thread [Next in Thread]