From 18eddd163132db76bedde1f224405a1f24b2181d Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: May 13 2015 22:39:05 +0000 Subject: Backport upstream 2.4 patch to link with tcmalloc, enable it CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152) --- diff --git a/0001-configure-Add-support-for-tcmalloc.patch b/0001-configure-Add-support-for-tcmalloc.patch index a1e3ae7..390da29 100644 --- a/0001-configure-Add-support-for-tcmalloc.patch +++ b/0001-configure-Add-support-for-tcmalloc.patch @@ -1,4 +1,3 @@ -From 2847b46958ab0bd604e1b3fcafba0f5ba4375833 Mon Sep 17 00:00:00 2001 From: Fam Zheng Date: Thu, 26 Mar 2015 11:03:12 +0800 Subject: [PATCH] configure: Add support for tcmalloc @@ -33,6 +32,7 @@ read 4k 1 156 39969 23 Signed-off-by: Fam Zheng Message-Id: <1427338992-27057-1-git-send-email-famz@redhat.com> Signed-off-by: Paolo Bonzini +(cherry picked from commit 2847b46958ab0bd604e1b3fcafba0f5ba4375833) --- configure | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) @@ -100,6 +100,3 @@ index 6969f6f..75a4def 100755 if test "$sdl_too_old" = "yes"; then echo "-> Your SDL version is too old - please upgrade to have SDL support" --- -2.4.0 - diff --git a/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch b/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch new file mode 100644 index 0000000..80cc267 --- /dev/null +++ b/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch @@ -0,0 +1,82 @@ +From: Petr Matousek +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated + buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek +Reviewed-by: John Snow +Signed-off-by: John Snow +(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c) +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 2bf87c9..a9de4ab 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command diff --git a/qemu.spec b/qemu.spec index 6c376ea..1bd8354 100644 --- a/qemu.spec +++ b/qemu.spec @@ -43,7 +43,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.3.0 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -71,7 +71,11 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -Patch0: 0001-configure-Add-support-for-tcmalloc.patch +# Backport upstream 2.4 patch to link with tcmalloc, enable it +Patch0001: 0001-configure-Add-support-for-tcmalloc.patch +# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access +# (bz #1221152) +Patch0002: 0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1176,6 +1180,11 @@ getent passwd qemu >/dev/null || \ %changelog +* Wed May 13 2015 Cole Robinson - 2:2.3.0-5 +- Backport upstream 2.4 patch to link with tcmalloc, enable it +- CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz + #1221152) + * Sun May 10 2015 Paolo Bonzini 2:2.3.0-4 - Backport upstream 2.4 patch to link with tcmalloc, enable it - Add -p1 to %autopatch