diff options
| author | Jason Unovitch <junovitch@FreeBSD.org> | 2015-08-17 13:55:06 +0000 | 
|---|---|---|
| committer | Jason Unovitch <junovitch@FreeBSD.org> | 2015-08-17 13:55:06 +0000 | 
| commit | 5c08f16d47ccff07072343b2962629fce51934ee (patch) | |
| tree | ba31218bc5a7467bdd9c7f2e896abe29864c65c9 /sysutils/xen-tools/files/xsa133-qemuu.patch | |
| parent | Document two QEMU related xen-tools security advisories (diff) | |
sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches
- Update to 4.5.1
- Remove XSA-117 to XSA-136 and elf_parse_bsdsyms patches now part of 4.5.1
- Leave XSA-135 QEMU traditional patches due an oversight in 4.5.1
- Apply patches for XSA-139/XSA-140
- Set USE_LDCONFIG, sort USES, use ${PATCH}, and reorder Makefile (portlint)
PR:		201931
Security:	CVE-2015-5166
Security:	ee99899d-4347-11e5-93ad-002590263bf5
Security:	CVE-2015-5165
Security:	f06f20dc-4347-11e5-93ad-002590263bf5
Approved by:	bapt (maintainer), feld (mentor)
MFH:		2015Q3
Diffstat (limited to 'sysutils/xen-tools/files/xsa133-qemuu.patch')
| -rw-r--r-- | sysutils/xen-tools/files/xsa133-qemuu.patch | 84 | 
1 files changed, 0 insertions, 84 deletions
| diff --git a/sysutils/xen-tools/files/xsa133-qemuu.patch b/sysutils/xen-tools/files/xsa133-qemuu.patch deleted file mode 100644 index 95f3dcc21e5b..000000000000 --- a/sysutils/xen-tools/files/xsa133-qemuu.patch +++ /dev/null @@ -1,84 +0,0 @@ -From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reviewed-by: John Snow <jsnow@redhat.com> ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { -     FDrive *cur_drv; -     uint32_t retval = 0; --    int pos; -+    uint32_t pos; -  -     cur_drv = get_cur_drv(fdctrl); -     fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) -         return 0; -     } -     pos = fdctrl->data_pos; -+    pos %= FD_SECTOR_LEN; -     if (fdctrl->msr & FD_MSR_NONDMA) { --        pos %= FD_SECTOR_LEN; -         if (pos == 0) { -             if (fdctrl->data_pos != 0) -                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { -     FDrive *cur_drv = get_cur_drv(fdctrl); -+    uint32_t pos; -  --    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+    pos = fdctrl->data_pos - 1; -+    pos %= FD_SECTOR_LEN; -+    if (fdctrl->fifo[pos] & 0x80) { -         /* Command parameters done */ --        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+        if (fdctrl->fifo[pos] & 0x40) { -             fdctrl->fifo[0] = fdctrl->fifo[1]; -             fdctrl->fifo[2] = 0; -             fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { -     FDrive *cur_drv; --    int pos; -+    uint32_t pos; -  -     /* Reset mode */ -     if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) -     } -  -     FLOPPY_DPRINTF("%s: %02x\n", __func__, value); --    fdctrl->fifo[fdctrl->data_pos++] = value; -+    pos = fdctrl->data_pos++; -+    pos %= FD_SECTOR_LEN; -+    fdctrl->fifo[pos] = value; -     if (fdctrl->data_pos == fdctrl->data_len) { -         /* We now have all parameters -          * and will be able to treat the command ---  -2.1.0 - - | 
