aboutsummaryrefslogtreecommitdiffstats
path: root/main/qemu
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2015-05-14 06:42:34 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2015-05-15 10:06:35 +0000
commit22634a6ccfa85473ebff2c4d4015ef6f1f6dae0b (patch)
tree333597696fcd1090a5be2021612eca094a43bdbe /main/qemu
parent77aa7ffbcc8c6f9f8d4be0c2207ae75d3e908a68 (diff)
downloadaports-22634a6ccfa85473ebff2c4d4015ef6f1f6dae0b.tar.bz2
aports-22634a6ccfa85473ebff2c4d4015ef6f1f6dae0b.tar.xz
main/qemu: security fix for CVE-2015-3456
ref #4181
Diffstat (limited to 'main/qemu')
-rw-r--r--main/qemu/APKBUILD7
-rw-r--r--main/qemu/CVE-2015-3456.patch84
2 files changed, 90 insertions, 1 deletions
diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD
index b904850839..1ee54abe31 100644
--- a/main/qemu/APKBUILD
+++ b/main/qemu/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=qemu
pkgver=2.3.0
-pkgrel=0
+pkgrel=1
pkgdesc="QEMU is a generic machine emulator and virtualizer"
url="http://qemu.org/"
arch="all"
@@ -95,6 +95,8 @@ source="http://wiki.qemu-project.org/download/qemu-$pkgver.tar.bz2
musl-F_SHLCK-and-F_EXLCK.patch
fix-sigevent-and-sigval_t.patch
+ CVE-2015-3456.patch
+
qemu-guest-agent.confd
qemu-guest-agent.initd
80-kvm.rules"
@@ -292,6 +294,7 @@ md5sums="2fab3ea4460de9b57192e5b8b311f221 qemu-2.3.0.tar.bz2
d364208c4847ad2baeb237900befecd1 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
bc5f2e41ed3b6d6d30b672adab82e3e1 musl-F_SHLCK-and-F_EXLCK.patch
9afbd6c9586229ce64275f012d665e2a fix-sigevent-and-sigval_t.patch
+5e8a68940c4e0267e795a6ddd144e00e CVE-2015-3456.patch
1663bc6977f6886a58394155b1bf3676 qemu-guest-agent.confd
4cb15a1c3de2691dd65842f2325dfe22 qemu-guest-agent.initd
66660f143235201249dc0648b39b86ee 80-kvm.rules"
@@ -300,6 +303,7 @@ af35304b165622a53f7557b59ffd8da5030f5fd444e669c862f9410131f3b987 0001-elfload-l
6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40 musl-F_SHLCK-and-F_EXLCK.patch
9abdf3410dea742cac3552363950c8a7fbcec8dd2bfd68e3c417a284f4e702f5 fix-sigevent-and-sigval_t.patch
+de69a47daf292fd0cc01c925a23c9fadbac0fb60c322bf89260cccceb47ca204 CVE-2015-3456.patch
d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298 qemu-guest-agent.confd
91f5ba66b56bb9a3e0d134de3ea756794d5f09fe8a14a4b0d3d95f69a9245c60 qemu-guest-agent.initd
37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84 80-kvm.rules"
@@ -308,6 +312,7 @@ sha512sums="7a40d213c5696b27784abd2a3119e49d42c38c923be431826c73a8f14c19074435d7
ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
5de10f7e8abae16d1d7521e5ca1bfb62a8f295b324bea84f122f882b7b9354c21e5a00b20a1c5484c1b737b937e53c4ca6979e55705522f0779a5669725369f5 musl-F_SHLCK-and-F_EXLCK.patch
e3f006c28318669356cd5b778f26774f06b0a40a4ac852573379df63efcc8276869958faec16797a38bf96c6061dfc040309e462d8559984f67eaf4af701ca1a fix-sigevent-and-sigval_t.patch
+81485e26e30314b075a154cbce841fa3b803b70d8539a5ce00e57ec2020ab801d88c35631805811d003505dfd1909a5b70307fdbd8a192986f53143669465bd8 CVE-2015-3456.patch
d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd
69457d757909b990f4fdfaef621696e5a5d287b42bc58e553cb52d85191788a269e91c0475bfb7223d3a9120c19cdf4d749b4d54013a644f33d0551517cdf094 qemu-guest-agent.initd
9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules"
diff --git a/main/qemu/CVE-2015-3456.patch b/main/qemu/CVE-2015-3456.patch
new file mode 100644
index 0000000000..50c19d9f08
--- /dev/null
+++ b/main/qemu/CVE-2015-3456.patch
@@ -0,0 +1,84 @@
+From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--
+1.7.0.4
+