gnu: qemu: Update to 2.3.0; add fix for CVE-2015-3456.
* gnu/packages/patches/qemu-CVE-2015-3456.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/qemu.scm (qemu-headless): Update to 2.3.0. Add patch.
This commit is contained in:
parent
3736a110bd
commit
f6708fcdb2
|
@ -536,6 +536,7 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \
|
||||
gnu/packages/patches/python2-sqlite-3.8.4-test-fix.patch \
|
||||
gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-3456.patch \
|
||||
gnu/packages/patches/qt4-ldflags.patch \
|
||||
gnu/packages/patches/qt4-tests.patch \
|
||||
gnu/packages/patches/qt5-conflicting-typedefs.patch \
|
||||
|
|
|
@ -0,0 +1,85 @@
|
|||
From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Wed, 6 May 2015 09:48:59 +0200
|
||||
Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
|
||||
buffer
|
||||
|
||||
During processing of certain commands such as FD_CMD_READ_ID and
|
||||
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
|
||||
get out of bounds leading to memory corruption with values coming
|
||||
from the guest.
|
||||
|
||||
Fix this by making sure that the index is always bounded by the
|
||||
allocated memory.
|
||||
|
||||
This is CVE-2015-3456.
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
---
|
||||
hw/block/fdc.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
|
||||
index f72a392..d8a8edd 100644
|
||||
--- a/hw/block/fdc.c
|
||||
+++ b/hw/block/fdc.c
|
||||
@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
uint32_t retval = 0;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
cur_drv = get_cur_drv(fdctrl);
|
||||
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
||||
@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
return 0;
|
||||
}
|
||||
pos = fdctrl->data_pos;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
if (fdctrl->msr & FD_MSR_NONDMA) {
|
||||
- pos %= FD_SECTOR_LEN;
|
||||
if (pos == 0) {
|
||||
if (fdctrl->data_pos != 0)
|
||||
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
||||
@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
|
||||
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
||||
{
|
||||
FDrive *cur_drv = get_cur_drv(fdctrl);
|
||||
+ uint32_t pos;
|
||||
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
||||
+ pos = fdctrl->data_pos - 1;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ if (fdctrl->fifo[pos] & 0x80) {
|
||||
/* Command parameters done */
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
||||
+ if (fdctrl->fifo[pos] & 0x40) {
|
||||
fdctrl->fifo[0] = fdctrl->fifo[1];
|
||||
fdctrl->fifo[2] = 0;
|
||||
fdctrl->fifo[3] = 0;
|
||||
@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
|
||||
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
/* Reset mode */
|
||||
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
||||
@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
}
|
||||
|
||||
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
||||
- fdctrl->fifo[fdctrl->data_pos++] = value;
|
||||
+ pos = fdctrl->data_pos++;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ fdctrl->fifo[pos] = value;
|
||||
if (fdctrl->data_pos == fdctrl->data_len) {
|
||||
/* We now have all parameters
|
||||
* and will be able to treat the command
|
||||
--
|
||||
2.2.1
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -42,14 +43,15 @@
|
|||
;; This is QEMU without GUI support.
|
||||
(package
|
||||
(name "qemu-headless")
|
||||
(version "2.2.0")
|
||||
(version "2.3.0")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
|
||||
version ".tar.bz2"))
|
||||
(sha256
|
||||
(base32
|
||||
"1703c3scl5n07gmpilg7g2xzyxnr7jczxgx6nn4m8kv9gin9p35n"))))
|
||||
"120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"))
|
||||
(patches (list (search-patch "qemu-CVE-2015-3456.patch")))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
'(#:phases (alist-replace
|
||||
|
|
Loading…
Reference in New Issue