Compare commits
52 Commits
Author | SHA1 | Date |
---|---|---|
Lubomir Rintel | 79f542cea6 | |
Lubomir Rintel | 5f7cb4c26f | |
Lubomir Rintel | 997d06a014 | |
Lubomir Rintel | d959eae0d5 | |
Lubomir Rintel | a3564f2bb9 | |
Lubomir Rintel | 3273833fa9 | |
Lubomir Rintel | bd297f4f9f | |
Lubomir Rintel | baadb31598 | |
Lubomir Rintel | 0dba1e953b | |
Lubomir Rintel | 9e5857b25a | |
Cole Robinson | 0cb5848dfe | |
Lubomir Rintel | d3b0b5b9cf | |
Lubomir Rintel | 314fa5e1b7 | |
Lubomir Rintel | 15f4000e59 | |
Lubomir Rintel | cbdf8f4436 | |
Lubomir Rintel | 3b535edd7c | |
Lubomir Rintel | 13197a9445 | |
Lubomir Rintel | 43197f83a4 | |
Lubomir Rintel | f58844eafa | |
Lubomir Rintel | 1329b351aa | |
Lubomir Rintel | 611398f681 | |
Lubomir Rintel | 960871e4b3 | |
Lubomir Rintel | c7f978a916 | |
Cole Robinson | 24324ebfc9 | |
Lubomir Rintel | 9901e6f72f | |
Lubomir Rintel | 4b674a2baa | |
Lubomir Rintel | 21cce4c25a | |
Lubomir Rintel | 491ebad8e9 | |
Lubomir Rintel | aeaf00e653 | |
Lubomir Rintel | 13e81f0a14 | |
Lubomir Rintel | 44956eaef5 | |
Lubomir Rintel | 63b22659aa | |
Lubomir Rintel | c708b1569c | |
Lubomir Rintel | 6d85eb62f9 | |
Lubomir Rintel | 5f9089d1b5 | |
Cole Robinson | 7a207f1857 | |
Cole Robinson | 4b07b93c5a | |
Cole Robinson | cb4937d525 | |
Cole Robinson | c2ae918774 | |
Alon Levy | ca009fd076 | |
Cole Robinson | db155eccfe | |
Richard W.M. Jones | 4c7a45d13c | |
Cole Robinson | 18389bf646 | |
Alon Levy | 4d1515ab5b | |
Cole Robinson | d4960498b1 | |
Cole Robinson | 2d6147865c | |
Cole Robinson | 09f167f66e | |
Cole Robinson | 0067bd1e40 | |
Dan Horák | 742904e1a4 | |
Cole Robinson | a7b9285033 | |
Alon Levy | b37e2081e5 | |
Alon Levy | 408bdb5e74 |
|
@ -0,0 +1,79 @@
|
|||
From fcb9de761d54ec4aaa44027a5ce95f7b3e36ebd9 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Sun, 26 Jul 2015 23:42:53 -0400
|
||||
Subject: [PATCH 1/4] ide: Check array bounds before writing to io_buffer
|
||||
(CVE-2015-5154)
|
||||
|
||||
If the end_transfer_func of a command is called because enough data has
|
||||
been read or written for the current PIO transfer, and it fails to
|
||||
correctly call the command completion functions, the DRQ bit in the
|
||||
status register and s->end_transfer_func may remain set. This allows the
|
||||
guest to access further bytes in s->io_buffer beyond s->data_end, and
|
||||
eventually overflowing the io_buffer.
|
||||
|
||||
One case where this currently happens is emulation of the ATAPI command
|
||||
START STOP UNIT.
|
||||
|
||||
This patch fixes the problem by adding explicit array bounds checks
|
||||
before accessing the buffer instead of relying on end_transfer_func to
|
||||
function correctly.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
(cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6)
|
||||
---
|
||||
hw/ide/core.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
||||
index c943a4d..e2ad6ee 100644
|
||||
--- a/hw/ide/core.c
|
||||
+++ b/hw/ide/core.c
|
||||
@@ -1901,6 +1901,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
|
||||
}
|
||||
|
||||
p = s->data_ptr;
|
||||
+ if (p + 2 > s->data_end) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
*(uint16_t *)p = le16_to_cpu(val);
|
||||
p += 2;
|
||||
s->data_ptr = p;
|
||||
@@ -1922,6 +1926,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
|
||||
}
|
||||
|
||||
p = s->data_ptr;
|
||||
+ if (p + 2 > s->data_end) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
ret = cpu_to_le16(*(uint16_t *)p);
|
||||
p += 2;
|
||||
s->data_ptr = p;
|
||||
@@ -1943,6 +1951,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
|
||||
}
|
||||
|
||||
p = s->data_ptr;
|
||||
+ if (p + 4 > s->data_end) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
*(uint32_t *)p = le32_to_cpu(val);
|
||||
p += 4;
|
||||
s->data_ptr = p;
|
||||
@@ -1964,6 +1976,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
|
||||
}
|
||||
|
||||
p = s->data_ptr;
|
||||
+ if (p + 4 > s->data_end) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
ret = cpu_to_le32(*(uint32_t *)p);
|
||||
p += 4;
|
||||
s->data_ptr = p;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
From 9cc96b9353238598cc70f4938c403f7d0dcaa994 Mon Sep 17 00:00:00 2001
|
||||
From: Lubomir Rintel <lkundrak@v3.sk>
|
||||
Date: Thu, 26 Feb 2015 10:02:13 +0100
|
||||
Subject: [PATCH] pxe: always use non-efi roms
|
||||
|
||||
We don't ship efi versions.
|
||||
---
|
||||
hw/net/e1000.c | 2 +-
|
||||
hw/net/ne2000.c | 2 +-
|
||||
hw/net/pcnet-pci.c | 2 +-
|
||||
hw/net/rtl8139.c | 2 +-
|
||||
hw/virtio/virtio-pci.c | 2 +-
|
||||
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
|
||||
index 8387443..6e28e0f 100644
|
||||
--- a/hw/net/e1000.c
|
||||
+++ b/hw/net/e1000.c
|
||||
@@ -1571,7 +1571,7 @@ static void e1000_class_init(ObjectClass *klass, void *data)
|
||||
|
||||
k->init = pci_e1000_init;
|
||||
k->exit = pci_e1000_uninit;
|
||||
- k->romfile = "efi-e1000.rom";
|
||||
+ k->romfile = "pxe-e1000.rom";
|
||||
k->vendor_id = PCI_VENDOR_ID_INTEL;
|
||||
k->device_id = E1000_DEVID;
|
||||
k->revision = 0x03;
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index 4c32e9e..12cf3ed 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -767,7 +767,7 @@ static void ne2000_class_init(ObjectClass *klass, void *data)
|
||||
|
||||
k->init = pci_ne2000_init;
|
||||
k->exit = pci_ne2000_exit;
|
||||
- k->romfile = "efi-ne2k_pci.rom",
|
||||
+ k->romfile = "pxe-ne2k_pci.rom",
|
||||
k->vendor_id = PCI_VENDOR_ID_REALTEK;
|
||||
k->device_id = PCI_DEVICE_ID_REALTEK_8029;
|
||||
k->class_id = PCI_CLASS_NETWORK_ETHERNET;
|
||||
diff --git a/hw/net/pcnet-pci.c b/hw/net/pcnet-pci.c
|
||||
index 6a5d806..945fff4 100644
|
||||
--- a/hw/net/pcnet-pci.c
|
||||
+++ b/hw/net/pcnet-pci.c
|
||||
@@ -359,7 +359,7 @@ static void pcnet_class_init(ObjectClass *klass, void *data)
|
||||
|
||||
k->init = pci_pcnet_init;
|
||||
k->exit = pci_pcnet_uninit;
|
||||
- k->romfile = "efi-pcnet.rom",
|
||||
+ k->romfile = "pxe-pcnet.rom",
|
||||
k->vendor_id = PCI_VENDOR_ID_AMD;
|
||||
k->device_id = PCI_DEVICE_ID_AMD_LANCE;
|
||||
k->revision = 0x10;
|
||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
||||
index 5329f44..4be91a1 100644
|
||||
--- a/hw/net/rtl8139.c
|
||||
+++ b/hw/net/rtl8139.c
|
||||
@@ -3560,7 +3560,7 @@ static void rtl8139_class_init(ObjectClass *klass, void *data)
|
||||
|
||||
k->init = pci_rtl8139_init;
|
||||
k->exit = pci_rtl8139_uninit;
|
||||
- k->romfile = "efi-rtl8139.rom";
|
||||
+ k->romfile = "pxe-rtl8139.rom";
|
||||
k->vendor_id = PCI_VENDOR_ID_REALTEK;
|
||||
k->device_id = PCI_DEVICE_ID_REALTEK_8139;
|
||||
k->revision = RTL8139_PCI_REVID; /* >=0x20 is for 8139C+ */
|
||||
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
|
||||
index ce97514..d815b0e 100644
|
||||
--- a/hw/virtio/virtio-pci.c
|
||||
+++ b/hw/virtio/virtio-pci.c
|
||||
@@ -1445,7 +1445,7 @@ static void virtio_net_pci_class_init(ObjectClass *klass, void *data)
|
||||
PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
|
||||
VirtioPCIClass *vpciklass = VIRTIO_PCI_CLASS(klass);
|
||||
|
||||
- k->romfile = "efi-virtio.rom";
|
||||
+ k->romfile = "pxe-virtio.rom";
|
||||
k->vendor_id = PCI_VENDOR_ID_REDHAT_QUMRANET;
|
||||
k->device_id = PCI_DEVICE_ID_VIRTIO_NET;
|
||||
k->revision = VIRTIO_PCI_ABI_VERSION;
|
||||
--
|
||||
2.1.0
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Wed, 6 May 2015 09:48:59 +0200
|
||||
Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
|
||||
buffer
|
||||
|
||||
During processing of certain commands such as FD_CMD_READ_ID and
|
||||
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
|
||||
get out of bounds leading to memory corruption with values coming
|
||||
from the guest.
|
||||
|
||||
Fix this by making sure that the index is always bounded by the
|
||||
allocated memory.
|
||||
|
||||
This is CVE-2015-3456.
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
|
||||
---
|
||||
hw/block/fdc.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
|
||||
index 2bf87c9..a9de4ab 100644
|
||||
--- a/hw/block/fdc.c
|
||||
+++ b/hw/block/fdc.c
|
||||
@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
uint32_t retval = 0;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
cur_drv = get_cur_drv(fdctrl);
|
||||
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
||||
@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
return 0;
|
||||
}
|
||||
pos = fdctrl->data_pos;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
if (fdctrl->msr & FD_MSR_NONDMA) {
|
||||
- pos %= FD_SECTOR_LEN;
|
||||
if (pos == 0) {
|
||||
if (fdctrl->data_pos != 0)
|
||||
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
||||
@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
|
||||
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
||||
{
|
||||
FDrive *cur_drv = get_cur_drv(fdctrl);
|
||||
+ uint32_t pos;
|
||||
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
||||
+ pos = fdctrl->data_pos - 1;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ if (fdctrl->fifo[pos] & 0x80) {
|
||||
/* Command parameters done */
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
||||
+ if (fdctrl->fifo[pos] & 0x40) {
|
||||
fdctrl->fifo[0] = fdctrl->fifo[1];
|
||||
fdctrl->fifo[2] = 0;
|
||||
fdctrl->fifo[3] = 0;
|
||||
@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
|
||||
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
/* Reset mode */
|
||||
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
||||
@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
}
|
||||
|
||||
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
||||
- fdctrl->fifo[fdctrl->data_pos++] = value;
|
||||
+ pos = fdctrl->data_pos++;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ fdctrl->fifo[pos] = value;
|
||||
if (fdctrl->data_pos == fdctrl->data_len) {
|
||||
/* We now have all parameters
|
||||
* and will be able to treat the command
|
|
@ -0,0 +1,45 @@
|
|||
From 1ed2665d9163d25cce12a1d8a764b939b2593c6e Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Wed, 17 Jun 2015 12:46:11 +0200
|
||||
Subject: [PATCH 2/4] i8254: fix out-of-bounds memory access in
|
||||
pit_ioport_read()
|
||||
|
||||
Due converting PIO to the new memory read/write api we no longer provide
|
||||
separate I/O region lenghts for read and write operations. As a result,
|
||||
reading from PIT Mode/Command register will end with accessing
|
||||
pit->channels with invalid index.
|
||||
|
||||
Fix this by ignoring read from the Mode/Command register.
|
||||
|
||||
This is CVE-2015-3214.
|
||||
|
||||
Reported-by: Matt Tait <matttait@google.com>
|
||||
Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d4862a87e31a51de9eb260f25c9e99a75efe3235)
|
||||
---
|
||||
hw/timer/i8254.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
|
||||
index 28152d8..a5dd681 100644
|
||||
--- a/hw/timer/i8254.c
|
||||
+++ b/hw/timer/i8254.c
|
||||
@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
|
||||
PITChannelState *s;
|
||||
|
||||
addr &= 3;
|
||||
+
|
||||
+ if (addr == 3) {
|
||||
+ /* Mode/Command register is write only, read is ignored */
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
s = &pit->channels[addr];
|
||||
if (s->status_latched) {
|
||||
s->status_latched = 0;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,100 @@
|
|||
From c2c087239b676b7dcb75f74ed8509bd0d286ee1d Mon Sep 17 00:00:00 2001
|
||||
From: Gonglei <arei.gonglei@huawei.com>
|
||||
Date: Thu, 20 Nov 2014 19:35:02 +0800
|
||||
Subject: [PATCH 3/4] pcnet: fix Negative array index read
|
||||
|
||||
s->xmit_pos maybe assigned to a negative value (-1),
|
||||
but in this branch variable s->xmit_pos as an index to
|
||||
array s->buffer. Let's add a check for s->xmit_pos.
|
||||
|
||||
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
(cherry picked from commit 7b50d00911ddd6d56a766ac5671e47304c20a21b)
|
||||
---
|
||||
hw/net/pcnet.c | 55 ++++++++++++++++++++++++++++++-------------------------
|
||||
1 file changed, 30 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 7cb47b3..07069d7 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1213,7 +1213,7 @@ static void pcnet_transmit(PCNetState *s)
|
||||
hwaddr xmit_cxda = 0;
|
||||
int count = CSR_XMTRL(s)-1;
|
||||
int add_crc = 0;
|
||||
-
|
||||
+ int bcnt;
|
||||
s->xmit_pos = -1;
|
||||
|
||||
if (!CSR_TXON(s)) {
|
||||
@@ -1248,35 +1248,40 @@ static void pcnet_transmit(PCNetState *s)
|
||||
s->xmit_pos = -1;
|
||||
goto txdone;
|
||||
}
|
||||
+
|
||||
+ if (s->xmit_pos < 0) {
|
||||
+ goto txdone;
|
||||
+ }
|
||||
+
|
||||
+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||
+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
||||
+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
||||
+ s->xmit_pos += bcnt;
|
||||
+
|
||||
if (!GET_FIELD(tmd.status, TMDS, ENP)) {
|
||||
- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||
- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
||||
- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
||||
- s->xmit_pos += bcnt;
|
||||
- } else if (s->xmit_pos >= 0) {
|
||||
- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||
- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
||||
- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
||||
- s->xmit_pos += bcnt;
|
||||
+ goto txdone;
|
||||
+ }
|
||||
+
|
||||
#ifdef PCNET_DEBUG
|
||||
- printf("pcnet_transmit size=%d\n", s->xmit_pos);
|
||||
+ printf("pcnet_transmit size=%d\n", s->xmit_pos);
|
||||
#endif
|
||||
- if (CSR_LOOP(s)) {
|
||||
- if (BCR_SWSTYLE(s) == 1)
|
||||
- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
|
||||
- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
|
||||
- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
|
||||
- s->looptest = 0;
|
||||
- } else
|
||||
- if (s->nic)
|
||||
- qemu_send_packet(qemu_get_queue(s->nic), s->buffer,
|
||||
- s->xmit_pos);
|
||||
-
|
||||
- s->csr[0] &= ~0x0008; /* clear TDMD */
|
||||
- s->csr[4] |= 0x0004; /* set TXSTRT */
|
||||
- s->xmit_pos = -1;
|
||||
+ if (CSR_LOOP(s)) {
|
||||
+ if (BCR_SWSTYLE(s) == 1)
|
||||
+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
|
||||
+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
|
||||
+ pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
|
||||
+ s->looptest = 0;
|
||||
+ } else {
|
||||
+ if (s->nic) {
|
||||
+ qemu_send_packet(qemu_get_queue(s->nic), s->buffer,
|
||||
+ s->xmit_pos);
|
||||
+ }
|
||||
}
|
||||
|
||||
+ s->csr[0] &= ~0x0008; /* clear TDMD */
|
||||
+ s->csr[4] |= 0x0004; /* set TXSTRT */
|
||||
+ s->xmit_pos = -1;
|
||||
+
|
||||
txdone:
|
||||
SET_FIELD(&tmd.status, TMDS, OWN, 0);
|
||||
TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s)));
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
From d913b8e2e9a6480bbefba2abc3e8f55bd9d1f1a7 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Sun, 24 May 2015 10:53:44 +0200
|
||||
Subject: [PATCH 4/4] pcnet: force the buffer access to be in bounds during tx
|
||||
|
||||
4096 is the maximum length per TMD and it is also currently the size of
|
||||
the relay buffer pcnet driver uses for sending the packet data to QEMU
|
||||
for further processing. With packet spanning multiple TMDs it can
|
||||
happen that the overall packet size will be bigger than sizeof(buffer),
|
||||
which results in memory corruption.
|
||||
|
||||
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
|
||||
|
||||
This is CVE-2015-3209.
|
||||
|
||||
[Fixed 3-space indentation to QEMU's 4-space coding standard.
|
||||
--Stefan]
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reported-by: Matt Tait <matttait@google.com>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
(cherry picked from commit 9f7c594c006289ad41169b854d70f5da6e400a2a)
|
||||
---
|
||||
hw/net/pcnet.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 07069d7..a577daf 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1254,6 +1254,14 @@ static void pcnet_transmit(PCNetState *s)
|
||||
}
|
||||
|
||||
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||
+
|
||||
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
|
||||
+ Note: this is not what real hw does */
|
||||
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
|
||||
+ s->xmit_pos = -1;
|
||||
+ goto txdone;
|
||||
+ }
|
||||
+
|
||||
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
||||
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
||||
s->xmit_pos += bcnt;
|
||||
--
|
||||
2.5.0
|
||||
|
143
qemu.spec
143
qemu.spec
|
@ -22,14 +22,14 @@
|
|||
|
||||
%if 0%{?rhel}
|
||||
# RHEL-specific defaults:
|
||||
%bcond_without kvmonly # enabled
|
||||
%bcond_with kvmonly # enabled
|
||||
%bcond_without exclusive_x86_64 # enabled
|
||||
%bcond_with rbd # disabled
|
||||
%bcond_without spice # enabled
|
||||
%bcond_without seccomp # enabled
|
||||
%bcond_with xfsprogs # disabled
|
||||
%bcond_with separate_kvm # disabled - for EPEL
|
||||
%bcond_with gtk # disabled
|
||||
%bcond_without xfsprogs # disabled
|
||||
%bcond_without separate_kvm # disabled - for EPEL
|
||||
%bcond_without gtk # disabled
|
||||
%else
|
||||
# General defaults:
|
||||
%bcond_with kvmonly # disabled
|
||||
|
@ -89,7 +89,7 @@
|
|||
%global need_qemu_kvm 1
|
||||
%endif
|
||||
%ifarch ppc64
|
||||
%global system_ppc kvm
|
||||
#global system_ppc kvm
|
||||
%global kvm_package system-ppc
|
||||
%global kvm_target ppc64
|
||||
%global need_kvm_modfile 1
|
||||
|
@ -121,10 +121,10 @@
|
|||
%global system_microblaze system-microblaze
|
||||
%global system_mips system-mips
|
||||
%global system_or32 system-or32
|
||||
%global system_ppc system-ppc
|
||||
#global system_ppc system-ppc
|
||||
%global system_s390x system-s390x
|
||||
%global system_sh4 system-sh4
|
||||
%global system_sparc system-sparc
|
||||
#global system_sparc system-sparc
|
||||
%global system_x86 system-x86
|
||||
%global system_xtensa system-xtensa
|
||||
%global system_unicore32 system-unicore32
|
||||
|
@ -132,22 +132,30 @@
|
|||
%endif
|
||||
|
||||
# libfdt is only needed to build ARM, Microblaze or PPC emulators
|
||||
%if 0%{?rhel}
|
||||
%global need_fdt 0
|
||||
%else
|
||||
%if 0%{?system_arm:1}%{?system_microblaze:1}%{?system_ppc:1}
|
||||
%global need_fdt 1
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if 0%{?rhel}
|
||||
%define with_xen 0
|
||||
%else
|
||||
# Xen is available only on i386 x86_64 (from libvirt spec)
|
||||
%ifnarch %{ix86} x86_64
|
||||
%define with_xen 0
|
||||
%else
|
||||
%define with_xen 1
|
||||
%endif
|
||||
%endif
|
||||
|
||||
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.0.0
|
||||
Release: 1%{?dist}
|
||||
Release: 1%{?dist}.6
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
|
@ -156,6 +164,9 @@ URL: http://www.qemu.org/
|
|||
%if %{with kvmonly}
|
||||
ExclusiveArch: %{kvm_archs}
|
||||
%endif
|
||||
# XXX: The rom packages need to be updated to cross compile like fedora does,
|
||||
# otherwise qemu-system-x86 deps are broken on ppc64
|
||||
ExcludeArch: ppc64
|
||||
|
||||
# OOM killer breaks builds with parallel make on s390(x)
|
||||
%ifarch s390 s390x
|
||||
|
@ -188,10 +199,29 @@ Source12: bridge.conf
|
|||
Source13: qemu-kvm.sh
|
||||
|
||||
# Change gtk quit accelerator to ctrl+shift+q (bz #1062393)
|
||||
# Patches queued for 2.1
|
||||
Patch0001: 0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch
|
||||
|
||||
# CVE-2015-3456: fdc: out-of-bounds fifo buffer memory access # (bz #1221152)
|
||||
Patch0002: 0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
|
||||
|
||||
# CVE-2015-5154: ide: Check array bounds before writing to io_buffer (bz #1247143)
|
||||
Patch0003: 0001-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch
|
||||
|
||||
# CVE-2015-3214: i8254: fix out-of-bounds memory access in pit_ioport_read() (bz #1243729)
|
||||
Patch0004: 0002-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch
|
||||
|
||||
# CVE-2015-3209: pcnet: force the buffer access to be in bounds during tx (bz #1230538)
|
||||
Patch0005: 0003-pcnet-fix-Negative-array-index-read.patch
|
||||
Patch0006: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
|
||||
|
||||
# EPEL specific patches
|
||||
Patch6661: 0001-pxe-always-use-non-efi-roms.patch
|
||||
|
||||
%if 0%{?rhel}
|
||||
BuildRequires: SDL-devel
|
||||
%else
|
||||
BuildRequires: SDL2-devel
|
||||
%endif
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: which
|
||||
BuildRequires: chrpath
|
||||
|
@ -248,7 +278,7 @@ BuildRequires: bluez-libs-devel
|
|||
BuildRequires: brlapi-devel
|
||||
%if 0%{?need_fdt:1}
|
||||
# For FDT device tree support
|
||||
BuildRequires: libfdt-devel
|
||||
#BuildRequires: libfdt-devel
|
||||
%endif
|
||||
# For virtfs
|
||||
BuildRequires: libcap-devel
|
||||
|
@ -281,11 +311,10 @@ BuildRequires: librdmacm-devel
|
|||
BuildRequires: qemu-sanity-check-nodeps
|
||||
BuildRequires: kernel
|
||||
%endif
|
||||
BuildRequires: iasl
|
||||
%if %{with_xen}
|
||||
BuildRequires: xen-devel
|
||||
%endif
|
||||
|
||||
BuildRequires: /usr/bin/vi
|
||||
|
||||
%if 0%{?user:1}
|
||||
Requires: %{name}-%{user} = %{epoch}:%{version}-%{release}
|
||||
|
@ -383,6 +412,9 @@ This package provides a command line tool for manipulating disk images
|
|||
%package common
|
||||
Summary: QEMU common files needed by all QEMU targets
|
||||
Group: Development/Tools
|
||||
%if %{with separate_kvm}
|
||||
Requires: qemu-kvm-common
|
||||
%endif
|
||||
Requires(post): /usr/bin/getent
|
||||
Requires(post): /usr/sbin/groupadd
|
||||
Requires(post): /usr/sbin/useradd
|
||||
|
@ -458,9 +490,13 @@ Provides: kvm = 85
|
|||
Obsoletes: kvm < 85
|
||||
Requires: seavgabios-bin
|
||||
# First version that ships bios-256k.bin
|
||||
%if 0%{?rhel}
|
||||
Requires: sgabios-bin >= 1.7.2.2-5
|
||||
%else
|
||||
Requires: seabios-bin >= 1.7.4-3
|
||||
Requires: sgabios-bin
|
||||
Requires: ipxe-roms-qemu >= 20130517-2.gitc4bce43
|
||||
%endif
|
||||
#Requires: ipxe-roms-qemu >= 20130517-2.gitc4bce43
|
||||
Requires: ipxe-roms-qemu
|
||||
%if 0%{?have_seccomp:1}
|
||||
Requires: libseccomp >= 1.0.0
|
||||
%endif
|
||||
|
@ -700,6 +736,22 @@ CAC emulation development files.
|
|||
# Patches queued for 2.1
|
||||
%patch0001 -p1
|
||||
|
||||
# CVE-2015-3456: fdc: out-of-bounds fifo buffer memory access # (bz #1221152)
|
||||
%patch0002 -p1
|
||||
|
||||
# CVE-2015-5154: ide: Check array bounds before writing to io_buffer (bz #1247143)
|
||||
%patch0003 -p1
|
||||
|
||||
# CVE-2015-3214: i8254: fix out-of-bounds memory access in pit_ioport_read() (bz #1243729)
|
||||
%patch0004 -p1
|
||||
|
||||
# CVE-2015-3209: pcnet: force the buffer access to be in bounds during tx (bz #1230538)
|
||||
%patch0005 -p1
|
||||
%patch0006 -p1
|
||||
|
||||
# EPEL patches
|
||||
%patch6661 -p1
|
||||
|
||||
|
||||
%build
|
||||
%if %{with kvmonly}
|
||||
|
@ -708,8 +760,14 @@ CAC emulation development files.
|
|||
buildarch="i386-softmmu x86_64-softmmu alpha-softmmu arm-softmmu \
|
||||
cris-softmmu lm32-softmmu m68k-softmmu microblaze-softmmu \
|
||||
microblazeel-softmmu mips-softmmu mipsel-softmmu mips64-softmmu \
|
||||
mips64el-softmmu or32-softmmu ppc-softmmu ppcemb-softmmu ppc64-softmmu \
|
||||
s390x-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu sparc64-softmmu \
|
||||
mips64el-softmmu or32-softmmu \
|
||||
%if 0%{?system_ppc:1}
|
||||
ppc-softmmu ppcemb-softmmu ppc64-softmmu \
|
||||
%endif
|
||||
s390x-softmmu sh4-softmmu sh4eb-softmmu \
|
||||
%if 0%{?system_sparc:1}
|
||||
sparc-softmmu sparc64-softmmu \
|
||||
%endif
|
||||
xtensa-softmmu xtensaeb-softmmu unicore32-softmmu moxie-softmmu \
|
||||
i386-linux-user x86_64-linux-user aarch64-linux-user alpha-linux-user \
|
||||
arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user \
|
||||
|
@ -777,7 +835,11 @@ sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
|
|||
%ifarch s390
|
||||
--enable-tcg-interpreter \
|
||||
%endif
|
||||
%if 0%{?rhel}
|
||||
--with-sdlabi="1.2" \
|
||||
%else
|
||||
--with-sdlabi="2.0" \
|
||||
%endif
|
||||
--enable-quorum \
|
||||
"$@"
|
||||
|
||||
|
@ -896,7 +958,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/sgabios.bin
|
|||
# for other paths, yet.
|
||||
pxe_link() {
|
||||
ln -s ../ipxe/$2.rom %{buildroot}%{_datadir}/%{name}/pxe-$1.rom
|
||||
%if 0%{?rhel} == 0
|
||||
ln -s ../ipxe.efi/$2.rom %{buildroot}%{_datadir}/%{name}/efi-$1.rom
|
||||
%endif
|
||||
}
|
||||
|
||||
pxe_link e1000 8086100e
|
||||
|
@ -916,8 +980,10 @@ rom_link ../seavgabios/vgabios-stdvga.bin vgabios-stdvga.bin
|
|||
rom_link ../seavgabios/vgabios-vmware.bin vgabios-vmware.bin
|
||||
rom_link ../seabios/bios.bin bios.bin
|
||||
rom_link ../seabios/bios-256k.bin bios-256k.bin
|
||||
%if 0%{?rhel} == 0
|
||||
rom_link ../seabios/acpi-dsdt.aml acpi-dsdt.aml
|
||||
rom_link ../seabios/q35-acpi-dsdt.aml q35-acpi-dsdt.aml
|
||||
%endif
|
||||
rom_link ../sgabios/sgabios.bin sgabios.bin
|
||||
%endif
|
||||
|
||||
|
@ -979,11 +1045,13 @@ find $RPM_BUILD_ROOT -name '*.la' -or -name '*.a' | xargs rm -f
|
|||
find $RPM_BUILD_ROOT -name "libcacard.so*" -exec chmod +x \{\} \;
|
||||
|
||||
%if %{with separate_kvm}
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/kvm_stat
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-kvm
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-img
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-io
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-nbd
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/qemu-img.1*
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/qemu-kvm.1*
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/qemu-nbd.8*
|
||||
|
||||
rm -f $RPM_BUILD_ROOT%{_sbindir}/ksmtuned
|
||||
|
@ -996,11 +1064,14 @@ rm -f $RPM_BUILD_ROOT/lib/systemd/system/ksmtuned.service
|
|||
rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-ga
|
||||
rm -f $RPM_BUILD_ROOT%{_unitdir}/qemu-guest-agent.service
|
||||
rm -f $RPM_BUILD_ROOT%{_udevdir}/99-qemu-guest-agent.rules
|
||||
rm -f $RPM_BUILD_ROOT%{_udevdir}/80-kvm.rules
|
||||
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/vscclient
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libcacard*
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/libcacard.pc
|
||||
rm -rf $RPM_BUILD_ROOT%{_includedir}/cacard
|
||||
|
||||
rm -f $RPM_BUILD_ROOT%{_libexecdir}/qemu-bridge-helper
|
||||
%endif
|
||||
|
||||
# When building using 'rpmbuild' or 'fedpkg local', RPATHs can be left in
|
||||
|
@ -1095,10 +1166,12 @@ getent passwd qemu >/dev/null || \
|
|||
%files
|
||||
%defattr(-,root,root)
|
||||
|
||||
%if %{without separate_kvm}
|
||||
%ifarch %{kvm_archs}
|
||||
%files kvm
|
||||
%defattr(-,root,root)
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%files common -f %{name}.lang
|
||||
%defattr(-,root,root)
|
||||
|
@ -1118,7 +1191,9 @@ getent passwd qemu >/dev/null || \
|
|||
%{_mandir}/man1/qemu.1*
|
||||
%{_mandir}/man1/virtfs-proxy-helper.1*
|
||||
%{_bindir}/virtfs-proxy-helper
|
||||
%if %{without separate_kvm}
|
||||
%attr(4755, root, root) %{_libexecdir}/qemu-bridge-helper
|
||||
%endif
|
||||
%config(noreplace) %{_sysconfdir}/sasl2/qemu.conf
|
||||
%dir %{_sysconfdir}/qemu
|
||||
%config(noreplace) %{_sysconfdir}/qemu/bridge.conf
|
||||
|
@ -1213,8 +1288,10 @@ getent passwd qemu >/dev/null || \
|
|||
%{_mandir}/man1/qemu-system-i386.1*
|
||||
%{_mandir}/man1/qemu-system-x86_64.1*
|
||||
%endif
|
||||
%if 0%{?rhel} == 0
|
||||
%{_datadir}/%{name}/acpi-dsdt.aml
|
||||
%{_datadir}/%{name}/q35-acpi-dsdt.aml
|
||||
%endif
|
||||
%{_datadir}/%{name}/bios.bin
|
||||
%{_datadir}/%{name}/bios-256k.bin
|
||||
%{_datadir}/%{name}/sgabios.bin
|
||||
|
@ -1227,15 +1304,17 @@ getent passwd qemu >/dev/null || \
|
|||
%{_datadir}/%{name}/vgabios-stdvga.bin
|
||||
%{_datadir}/%{name}/vgabios-vmware.bin
|
||||
%{_datadir}/%{name}/pxe-e1000.rom
|
||||
%{_datadir}/%{name}/efi-e1000.rom
|
||||
%{_datadir}/%{name}/pxe-virtio.rom
|
||||
%{_datadir}/%{name}/efi-virtio.rom
|
||||
%{_datadir}/%{name}/pxe-pcnet.rom
|
||||
%{_datadir}/%{name}/efi-pcnet.rom
|
||||
%{_datadir}/%{name}/pxe-rtl8139.rom
|
||||
%{_datadir}/%{name}/efi-rtl8139.rom
|
||||
%{_datadir}/%{name}/pxe-ne2k_pci.rom
|
||||
%if 0%{?rhel} == 0
|
||||
%{_datadir}/%{name}/efi-e1000.rom
|
||||
%{_datadir}/%{name}/efi-virtio.rom
|
||||
%{_datadir}/%{name}/efi-pcnet.rom
|
||||
%{_datadir}/%{name}/efi-rtl8139.rom
|
||||
%{_datadir}/%{name}/efi-ne2k_pci.rom
|
||||
%endif
|
||||
%config(noreplace) %{_sysconfdir}/qemu/target-x86_64.conf
|
||||
%if %{without separate_kvm}
|
||||
%ifarch %{ix86} x86_64
|
||||
|
@ -1245,11 +1324,13 @@ getent passwd qemu >/dev/null || \
|
|||
%endif
|
||||
%endif
|
||||
|
||||
%if %{without separate_kvm}
|
||||
%ifarch %{kvm_archs}
|
||||
%files kvm-tools
|
||||
%defattr(-,root,root,-)
|
||||
%{_bindir}/kvm_stat
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if 0%{?system_alpha:1}
|
||||
%files %{system_alpha}
|
||||
|
@ -1372,6 +1453,8 @@ getent passwd qemu >/dev/null || \
|
|||
%{_mandir}/man1/qemu-system-sparc64.1*
|
||||
%{_datadir}/%{name}/QEMU,tcx.bin
|
||||
%{_datadir}/%{name}/QEMU,cgthree.bin
|
||||
%else
|
||||
%exclude %{_datadir}/%{name}/QEMU,cgthree.bin
|
||||
%endif
|
||||
|
||||
%if 0%{?system_ppc:1}
|
||||
|
@ -1450,6 +1533,26 @@ getent passwd qemu >/dev/null || \
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Nov 02 2015 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.6
|
||||
- CVE-2015-5154: ide: Check array bounds before writing to io_buffer (bz #1247143)
|
||||
- CVE-2015-3214: i8254: fix out-of-bounds memory access in pit_ioport_read() (bz #1243729)
|
||||
- CVE-2015-3209: pcnet: force the buffer access to be in bounds during tx (bz #1230538)
|
||||
|
||||
* Mon May 25 2015 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.5
|
||||
- CVE-2015-3456: fdc: out-of-bounds fifo buffer memory access (bz #1221152)
|
||||
|
||||
* Thu Feb 26 2015 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.4
|
||||
- Avoid using EFI boot ROMs, el7 ipxe does not ship them
|
||||
|
||||
* Fri Oct 10 2014 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.3
|
||||
- Bring back the bios-256k.bin link
|
||||
|
||||
* Fri Oct 10 2014 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.2
|
||||
- Avoid broken symbolic links (bz #1114432)
|
||||
|
||||
* Fri Apr 18 2014 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.1
|
||||
- Build for EPEL7
|
||||
|
||||
* Thu Apr 17 2014 Cole Robinson <crobinso@redhat.com> - 2:2.0.0-1
|
||||
- Update to 2.0.0 GA
|
||||
|
||||
|
|
Loading…
Reference in New Issue