From a4cb6775b1dba64ef966673e32902183188143db Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Wed, 15 Jul 2015 14:29:08 +0000 Subject: [PATCH] - PLD merge --- CVE-2015-3456.patch | 84 +++++++++++++++++++++++++++++++++++++++++++++ qemu.spec | 31 +++++++++++------ 2 files changed, 105 insertions(+), 10 deletions(-) create mode 100644 CVE-2015-3456.patch diff --git a/CVE-2015-3456.patch b/CVE-2015-3456.patch new file mode 100644 index 0000000..50c19d9 --- /dev/null +++ b/CVE-2015-3456.patch @@ -0,0 +1,84 @@ +From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek +Reviewed-by: John Snow +Signed-off-by: John Snow +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +1.7.0.4 + diff --git a/qemu.spec b/qemu.spec index b2b95c2..c8f8f61 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,3 +1,4 @@ +# TODO: archipelago (libxseg) on bcond (GPL v3 vs v2-only conflict) # # Conditional build: %bcond_without sdl # SDL UI and audio support @@ -6,7 +7,7 @@ %bcond_without rdma # RDMA-based migration support %bcond_with gtk2 # GTK+ 2.x instead of 3.x %bcond_without gtk3 # Do not build GTK+ UI -%bcond_with vte # VTE support in GTK+ UI +%bcond_without vte # VTE support in GTK+ UI %bcond_without spice # SPICE support %bcond_with esd # EsounD audio support %bcond_without oss # OSS audio support @@ -32,8 +33,8 @@ Summary: QEMU CPU Emulator Summary(pl.UTF-8): QEMU - emulator procesora Name: qemu Version: 2.3.0 -Release: 1 -License: GPL v2+ +Release: 2 +License: GPL v2 Group: Applications/Emulators Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2 # Source0-md5: 2fab3ea4460de9b57192e5b8b311f221 @@ -47,20 +48,24 @@ Source6: ksm.sysconfig Source7: ksmctl.c Source9: ksmtuned Source10: ksmtuned.conf +Source12: 99-%{name}-guest-agent.rules Patch0: %{name}-cflags.patch Patch1: vgabios-widescreens.patch Patch2: %{name}-whitelist.patch Patch3: %{name}-system-libcacard.patch Patch4: %{name}-xattr.patch Patch5: libjpeg-boolean.patch +Patch6: CVE-2015-3456.patch # Proof of concept, for reference, do not remove Patch400: %{name}-kde_virtual_workspaces_hack.patch URL: http://www.qemu-project.org/ +BuildRequires: OpenGL-GLX-devel %{?with_sdl:BuildRequires: SDL2-devel >= 2.0} BuildRequires: alsa-lib-devel -BuildRequires: bcc +BuildRequires: bcc >= 0.16.21-2 %{?with_bluetooth:BuildRequires: bluez-libs-devel} %{?with_brlapi:BuildRequires: brlapi-devel} +BuildRequires: bzip2-devel %{?with_ceph:BuildRequires: ceph-devel} BuildRequires: curl-devel BuildRequires: cyrus-sasl-devel >= 2 @@ -87,8 +92,10 @@ BuildRequires: libuuid-devel BuildRequires: lzo-devel >= 2 BuildRequires: ncurses-devel %{?with_smartcard:BuildRequires: nss-devel >= 3.12.8} +BuildRequires: numactl-devel BuildRequires: perl-Encode BuildRequires: perl-tools-pod +BuildRequires: pixman-devel >= 0.21.8 BuildRequires: pkgconfig %{?with_pulseaudio:BuildRequires: pulseaudio-devel} BuildRequires: rpmbuild(macros) >= 1.644 @@ -149,6 +156,7 @@ Requires: SDL2 \ Requires: libseccomp >= 2.1.0 \ %endif \ Requires: libusb >= 1.0.13 \ +Requires: pixman >= 0.21.8 \ %if %{with usbredir} \ Requires: usbredir >= 0.6 \ %endif \ @@ -161,9 +169,9 @@ Requires: gtk+3 >= 3.0.0 \ %{?with_vte:Requires: vte2.90 >= 0.32.0} \ %endif -# some PPC/SPARC boot image in ELF format -%define _noautostrip .*%{_datadir}/qemu/.*-.* -%define _noautochrpath .*%{_datadir}/qemu/.*-.* +# don't strip/chrpath anything in there; these are boot images, roms etc +%define _noautostrip .*%{_datadir}/qemu/.* +%define _noautochrpath .*%{_datadir}/qemu/.* %description QEMU is a FAST! processor emulator. By using dynamic translation it @@ -714,6 +722,7 @@ Moduł QEMU dla urządeń blokowych typu 'ssh'. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %{__mv} libcacard libcacard-use-system-lib @@ -814,6 +823,9 @@ install -p ksmctl $RPM_BUILD_ROOT%{_sbindir} install -p %{SOURCE9} $RPM_BUILD_ROOT%{_sbindir}/ksmtuned install -p %{SOURCE10} $RPM_BUILD_ROOT%{_sysconfdir}/ksmtuned.conf +# For the qemu-guest-agent subpackage install udev rules. +install -p %{SOURCE12} $RPM_BUILD_ROOT%{_sysconfdir}/udev/rules.d + for i in dummy \ %ifnarch %{ix86} %{x8664} qemu-i386 \ @@ -876,14 +888,12 @@ if [ "$1" = "0" ]; then %groupremove kvm fi -%triggerpostun common -- qemu-common < 1.6.1-4 - %files %defattr(644,root,root,755) %files common -f %{name}.lang %defattr(644,root,root,755) -%doc README qemu-doc.html qemu-tech.html qmp-commands.txt +%doc LICENSE README qemu-doc.html qemu-tech.html qmp-commands.txt %attr(755,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/qemu-ifup %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/qemu/target-*.conf %config(noreplace) %verify(not md5 mtime size) /etc/ksmtuned.conf @@ -1077,6 +1087,7 @@ fi %files guest-agent %defattr(644,root,root,755) +%config(noreplace) %verify(not md5 mtime size) /etc/udev/rules.d/99-qemu-guest-agent.rules %attr(755,root,root) %{_bindir}/qemu-ga %files module-block-curl -- 2.46.0