From 18eddd163132db76bedde1f224405a1f24b2181d Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: May 13 2015 22:39:05 +0000
Subject: Backport upstream 2.4 patch to link with tcmalloc, enable it

CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152)

---

diff --git a/0001-configure-Add-support-for-tcmalloc.patch b/0001-configure-Add-support-for-tcmalloc.patch
index a1e3ae7..390da29 100644
--- a/0001-configure-Add-support-for-tcmalloc.patch
+++ b/0001-configure-Add-support-for-tcmalloc.patch
@@ -1,4 +1,3 @@
-From 2847b46958ab0bd604e1b3fcafba0f5ba4375833 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
 Date: Thu, 26 Mar 2015 11:03:12 +0800
 Subject: [PATCH] configure: Add support for tcmalloc
@@ -33,6 +32,7 @@ read       4k         1          156    39969      23
 Signed-off-by: Fam Zheng <famz@redhat.com>
 Message-Id: <1427338992-27057-1-git-send-email-famz@redhat.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2847b46958ab0bd604e1b3fcafba0f5ba4375833)
 ---
  configure | 24 ++++++++++++++++++++++++
  1 file changed, 24 insertions(+)
@@ -100,6 +100,3 @@ index 6969f6f..75a4def 100755
  
  if test "$sdl_too_old" = "yes"; then
  echo "-> Your SDL version is too old - please upgrade to have SDL support"
--- 
-2.4.0
-
diff --git a/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch b/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
new file mode 100644
index 0000000..80cc267
--- /dev/null
+++ b/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
@@ -0,0 +1,82 @@
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
+ buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 2bf87c9..a9de4ab 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
diff --git a/qemu.spec b/qemu.spec
index 6c376ea..1bd8354 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -43,7 +43,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.3.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -71,7 +71,11 @@ Source12: bridge.conf
 # qemu-kvm back compat wrapper
 Source13: qemu-kvm.sh
 
-Patch0: 0001-configure-Add-support-for-tcmalloc.patch
+# Backport upstream 2.4 patch to link with tcmalloc, enable it
+Patch0001: 0001-configure-Add-support-for-tcmalloc.patch
+# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
+# (bz #1221152)
+Patch0002: 0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
 
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@@ -1176,6 +1180,11 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Wed May 13 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.0-5
+- Backport upstream 2.4 patch to link with tcmalloc, enable it
+- CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz
+  #1221152)
+
 * Sun May 10 2015 Paolo Bonzini <pbonzini@redhat.com> 2:2.3.0-4
 - Backport upstream 2.4 patch to link with tcmalloc, enable it
 - Add -p1 to %autopatch