Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 May 2015 10:09:37 +0000 (UTC)
From:      Juergen Lock <nox@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r386593 - in head/emulators: qemu qemu-devel qemu-devel/files qemu-sbruno qemu-sbruno/files qemu/files
Message-ID:  <201505171009.t4HA9bSJ086032@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: nox
Date: Sun May 17 10:09:36 2015
New Revision: 386593
URL: https://svnweb.freebsd.org/changeset/ports/386593

Log:
  - Apply fixes for "BENOM" vulnerability - CVE-2015-3456 .
  - Bump PORTREVISIONs.
  
  PR:		200255
  PR:		200256
  PR:		200257
  Submitted by:	venture37@geeklan.co.uk
  Obtained from:	http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
  Security:	http://vuxml.FreeBSD.org/freebsd/2780e442-fc59-11e4-b18b-6805ca1d3bb1.html

Added:
  head/emulators/qemu-devel/files/patch-CVE-2015-3456   (contents, props changed)
  head/emulators/qemu-sbruno/files/patch-CVE-2015-3456   (contents, props changed)
  head/emulators/qemu/files/patch-CVE-2015-3456   (contents, props changed)
Modified:
  head/emulators/qemu-devel/Makefile
  head/emulators/qemu-sbruno/Makefile
  head/emulators/qemu/Makefile

Modified: head/emulators/qemu-devel/Makefile
==============================================================================
--- head/emulators/qemu-devel/Makefile	Sun May 17 10:06:25 2015	(r386592)
+++ head/emulators/qemu-devel/Makefile	Sun May 17 10:09:36 2015	(r386593)
@@ -3,6 +3,7 @@
 
 PORTNAME=	qemu
 PORTVERSION=	2.3.0
+PORTREVISION=	1
 CATEGORIES=	emulators
 MASTER_SITES=	http://wiki.qemu.org/download/:release \
 		LOCAL/nox:snapshot

Added: head/emulators/qemu-devel/files/patch-CVE-2015-3456
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/qemu-devel/files/patch-CVE-2015-3456	Sun May 17 10:09:36 2015	(r386593)
@@ -0,0 +1,84 @@
+From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c |   17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+-- 
+1.7.0.4
+

Modified: head/emulators/qemu-sbruno/Makefile
==============================================================================
--- head/emulators/qemu-sbruno/Makefile	Sun May 17 10:06:25 2015	(r386592)
+++ head/emulators/qemu-sbruno/Makefile	Sun May 17 10:09:36 2015	(r386593)
@@ -3,6 +3,7 @@
 
 PORTNAME=	qemu
 PORTVERSION=	2.3.50.g20150501
+PORTREVISION=	1
 CATEGORIES=	emulators
 MASTER_SITES=	GH \
 		LOCAL/nox \

Added: head/emulators/qemu-sbruno/files/patch-CVE-2015-3456
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/qemu-sbruno/files/patch-CVE-2015-3456	Sun May 17 10:09:36 2015	(r386593)
@@ -0,0 +1,84 @@
+From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c |   17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+-- 
+1.7.0.4
+

Modified: head/emulators/qemu/Makefile
==============================================================================
--- head/emulators/qemu/Makefile	Sun May 17 10:06:25 2015	(r386592)
+++ head/emulators/qemu/Makefile	Sun May 17 10:09:36 2015	(r386593)
@@ -3,7 +3,7 @@
 
 PORTNAME=	qemu
 PORTVERSION=	0.11.1
-PORTREVISION=	18
+PORTREVISION=	19
 CATEGORIES=	emulators
 MASTER_SITES=	SAVANNAH \
 		http://bellard.org/qemu/

Added: head/emulators/qemu/files/patch-CVE-2015-3456
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/qemu/files/patch-CVE-2015-3456	Sun May 17 10:09:36 2015	(r386593)
@@ -0,0 +1,44 @@
+--- a/hw/fdc.c
++++ b/hw/fdc.c
+@@ -1324,7 +1324,7 @@ static uint32_t fdctrl_read_data (fdctrl
+ {
+     fdrive_t *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1333,8 +1333,8 @@ static uint32_t fdctrl_read_data (fdctrl
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1680,8 +1680,11 @@ static void fdctrl_handle_option (fdctrl
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+     fdrive_t *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
++
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
+-
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+         if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+@@ -1778,7 +1782,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+     fdrive_t *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505171009.t4HA9bSJ086032>