CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152)
This commit is contained in:
parent
343c57952d
commit
15d91eb086
|
@ -0,0 +1,82 @@
|
|||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Wed, 6 May 2015 09:48:59 +0200
|
||||
Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
|
||||
buffer
|
||||
|
||||
During processing of certain commands such as FD_CMD_READ_ID and
|
||||
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
|
||||
get out of bounds leading to memory corruption with values coming
|
||||
from the guest.
|
||||
|
||||
Fix this by making sure that the index is always bounded by the
|
||||
allocated memory.
|
||||
|
||||
This is CVE-2015-3456.
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
|
||||
---
|
||||
hw/block/fdc.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
|
||||
index 2bf87c9..a9de4ab 100644
|
||||
--- a/hw/block/fdc.c
|
||||
+++ b/hw/block/fdc.c
|
||||
@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
uint32_t retval = 0;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
cur_drv = get_cur_drv(fdctrl);
|
||||
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
||||
@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
return 0;
|
||||
}
|
||||
pos = fdctrl->data_pos;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
if (fdctrl->msr & FD_MSR_NONDMA) {
|
||||
- pos %= FD_SECTOR_LEN;
|
||||
if (pos == 0) {
|
||||
if (fdctrl->data_pos != 0)
|
||||
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
||||
@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
|
||||
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
||||
{
|
||||
FDrive *cur_drv = get_cur_drv(fdctrl);
|
||||
+ uint32_t pos;
|
||||
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
||||
+ pos = fdctrl->data_pos - 1;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ if (fdctrl->fifo[pos] & 0x80) {
|
||||
/* Command parameters done */
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
||||
+ if (fdctrl->fifo[pos] & 0x40) {
|
||||
fdctrl->fifo[0] = fdctrl->fifo[1];
|
||||
fdctrl->fifo[2] = 0;
|
||||
fdctrl->fifo[3] = 0;
|
||||
@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
|
||||
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
/* Reset mode */
|
||||
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
||||
@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
}
|
||||
|
||||
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
||||
- fdctrl->fifo[fdctrl->data_pos++] = value;
|
||||
+ pos = fdctrl->data_pos++;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ fdctrl->fifo[pos] = value;
|
||||
if (fdctrl->data_pos == fdctrl->data_len) {
|
||||
/* We now have all parameters
|
||||
* and will be able to treat the command
|
12
qemu.spec
12
qemu.spec
|
@ -43,7 +43,7 @@
|
|||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.3.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
|
@ -71,6 +71,10 @@ Source12: bridge.conf
|
|||
# qemu-kvm back compat wrapper
|
||||
Source13: qemu-kvm.sh
|
||||
|
||||
# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
|
||||
# (bz #1221152)
|
||||
Patch0001: 0001-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
|
||||
|
||||
BuildRequires: SDL2-devel
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: which
|
||||
|
@ -538,7 +542,7 @@ CAC emulation development files.
|
|||
|
||||
%prep
|
||||
%setup -q -n qemu-%{version}
|
||||
%autopatch
|
||||
%autopatch -p1
|
||||
|
||||
|
||||
%build
|
||||
|
@ -1172,6 +1176,10 @@ getent passwd qemu >/dev/null || \
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed May 13 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.0-4
|
||||
- CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz
|
||||
#1221152)
|
||||
|
||||
* Wed May 06 2015 Cole Robinson <crobinso@redhat.com> 2:2.3.0-3%
|
||||
- Fix ksm.service (bz 1218814)
|
||||
|
||||
|
|
Loading…
Reference in New Issue