CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152)
This commit is contained in:
Cole Robinson
parent
c700dd0ffc
commit
a1c144d276
|
|
@ -0,0 +1,82 @@
|
|||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Wed, 6 May 2015 09:48:59 +0200
|
||||
Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
|
||||
buffer
|
||||
|
||||
During processing of certain commands such as FD_CMD_READ_ID and
|
||||
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
|
||||
get out of bounds leading to memory corruption with values coming
|
||||
from the guest.
|
||||
|
||||
Fix this by making sure that the index is always bounded by the
|
||||
allocated memory.
|
||||
|
||||
This is CVE-2015-3456.
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
|
||||
---
|
||||
hw/block/fdc.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
|
||||
index e35ed2e..eb5ea11 100644
|
||||
--- a/hw/block/fdc.c
|
||||
+++ b/hw/block/fdc.c
|
||||
@@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
uint32_t retval = 0;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
cur_drv = get_cur_drv(fdctrl);
|
||||
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
||||
@@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
return 0;
|
||||
}
|
||||
pos = fdctrl->data_pos;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
if (fdctrl->msr & FD_MSR_NONDMA) {
|
||||
- pos %= FD_SECTOR_LEN;
|
||||
if (pos == 0) {
|
||||
if (fdctrl->data_pos != 0)
|
||||
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
||||
@@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
|
||||
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
||||
{
|
||||
FDrive *cur_drv = get_cur_drv(fdctrl);
|
||||
+ uint32_t pos;
|
||||
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
||||
+ pos = fdctrl->data_pos - 1;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ if (fdctrl->fifo[pos] & 0x80) {
|
||||
/* Command parameters done */
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
||||
+ if (fdctrl->fifo[pos] & 0x40) {
|
||||
fdctrl->fifo[0] = fdctrl->fifo[1];
|
||||
fdctrl->fifo[2] = 0;
|
||||
fdctrl->fifo[3] = 0;
|
||||
@@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256];
|
||||
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
/* Reset mode */
|
||||
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
||||
@@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
}
|
||||
|
||||
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
||||
- fdctrl->fifo[fdctrl->data_pos++] = value;
|
||||
+ pos = fdctrl->data_pos++;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ fdctrl->fifo[pos] = value;
|
||||
if (fdctrl->data_pos == fdctrl->data_len) {
|
||||
/* We now have all parameters
|
||||
* and will be able to treat the command
|
||||
12
qemu.spec
12
qemu.spec
|
|
@ -139,7 +139,7 @@
|
|||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 1.6.2
|
||||
Release: 13%{?dist}
|
||||
Release: 14%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
|
|
@ -385,6 +385,9 @@ Patch0426: 0426-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch
|
|||
# CVE-2014-8106: cirrus: insufficient blit region checks
|
||||
Patch0427: 0427-cirrus-fix-blit-region-check.patch
|
||||
Patch0428: 0428-cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf.patch
|
||||
# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
|
||||
# (bz #1221152)
|
||||
Patch0429: 0429-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
|
||||
|
||||
BuildRequires: SDL-devel
|
||||
BuildRequires: zlib-devel
|
||||
|
|
@ -1102,6 +1105,9 @@ CAC emulation development files.
|
|||
# CVE-2014-8106: cirrus: insufficient blit region checks
|
||||
%patch0427 -p1
|
||||
%patch0428 -p1
|
||||
# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
|
||||
# (bz #1221152)
|
||||
%patch0429 -p1
|
||||
|
||||
|
||||
%build
|
||||
|
|
@ -1809,6 +1815,10 @@ getent passwd qemu >/dev/null || \
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed May 13 2015 Cole Robinson <crobinso@redhat.com> - 2:1.6.2-14
|
||||
- CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz
|
||||
#1221152)
|
||||
|
||||
* Sat Feb 07 2015 Cole Robinson <crobinso@redhat.com> - 2:1.6.2-13
|
||||
- Fix qemu_bh_schedule race condition (bz #1165315)
|
||||
- CVE-2014-8106: cirrus: insufficient blit region checks
|
||||
|
|
|
|||
Loading…
Reference in New Issue