qemu: update to 2.4.0.
This commit is contained in:
parent
ef34de2ab2
commit
945bb70576
|
@ -1,48 +0,0 @@
|
|||
From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Sun, 24 May 2015 10:53:44 +0200
|
||||
Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
|
||||
|
||||
4096 is the maximum length per TMD and it is also currently the size of
|
||||
the relay buffer pcnet driver uses for sending the packet data to QEMU
|
||||
for further processing. With packet spanning multiple TMDs it can
|
||||
happen that the overall packet size will be bigger than sizeof(buffer),
|
||||
which results in memory corruption.
|
||||
|
||||
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
|
||||
|
||||
This is CVE-2015-3209.
|
||||
|
||||
[Fixed 3-space indentation to QEMU's 4-space coding standard.
|
||||
--Stefan]
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Reported-by: Matt Tait <matttait@google.com>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
---
|
||||
hw/net/pcnet.c | 8 ++++++++
|
||||
1 files changed, 8 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git hw/net/pcnet.c hw/net/pcnet.c
|
||||
index bdfd38f..68b9981 100644
|
||||
--- hw/net/pcnet.c
|
||||
+++ hw/net/pcnet.c
|
||||
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
|
||||
}
|
||||
|
||||
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||
+
|
||||
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
|
||||
+ Note: this is not what real hw does */
|
||||
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
|
||||
+ s->xmit_pos = -1;
|
||||
+ goto txdone;
|
||||
+ }
|
||||
+
|
||||
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
||||
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
||||
s->xmit_pos += bcnt;
|
||||
--
|
||||
1.7.0.4
|
|
@ -1,175 +0,0 @@
|
|||
From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Wed, 3 Jun 2015 14:13:31 +0200
|
||||
Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
|
||||
(CVE-2015-5154)
|
||||
|
||||
If the end_transfer_func of a command is called because enough data has
|
||||
been read or written for the current PIO transfer, and it fails to
|
||||
correctly call the command completion functions, the DRQ bit in the
|
||||
status register and s->end_transfer_func may remain set. This allows the
|
||||
guest to access further bytes in s->io_buffer beyond s->data_end, and
|
||||
eventually overflowing the io_buffer.
|
||||
|
||||
One case where this currently happens is emulation of the ATAPI command
|
||||
START STOP UNIT.
|
||||
|
||||
This patch fixes the problem by adding explicit array bounds checks
|
||||
before accessing the buffer instead of relying on end_transfer_func to
|
||||
function correctly.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
---
|
||||
hw/ide/core.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
||||
index 122e955..44fcc23 100644
|
||||
--- hw/ide/core.c
|
||||
+++ hw/ide/core.c
|
||||
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
|
||||
}
|
||||
|
||||
p = s->data_ptr;
|
||||
+ if (p + 2 > s->data_end) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
*(uint16_t *)p = le16_to_cpu(val);
|
||||
p += 2;
|
||||
s->data_ptr = p;
|
||||
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
|
||||
}
|
||||
|
||||
p = s->data_ptr;
|
||||
+ if (p + 2 > s->data_end) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
ret = cpu_to_le16(*(uint16_t *)p);
|
||||
p += 2;
|
||||
s->data_ptr = p;
|
||||
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
|
||||
}
|
||||
|
||||
p = s->data_ptr;
|
||||
+ if (p + 4 > s->data_end) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
*(uint32_t *)p = le32_to_cpu(val);
|
||||
p += 4;
|
||||
s->data_ptr = p;
|
||||
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
|
||||
}
|
||||
|
||||
p = s->data_ptr;
|
||||
+ if (p + 4 > s->data_end) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
ret = cpu_to_le32(*(uint32_t *)p);
|
||||
p += 4;
|
||||
s->data_ptr = p;
|
||||
--
|
||||
1.8.3.1
|
||||
From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Wed, 3 Jun 2015 14:17:46 +0200
|
||||
Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
|
||||
|
||||
The command must be completed on all code paths. START STOP UNIT with
|
||||
pwrcnd set should succeed without doing anything.
|
||||
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
---
|
||||
hw/ide/atapi.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
|
||||
index 950e311..79dd167 100644
|
||||
--- hw/ide/atapi.c
|
||||
+++ hw/ide/atapi.c
|
||||
@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
|
||||
|
||||
if (pwrcnd) {
|
||||
/* eject/load only happens for power condition == 0 */
|
||||
+ ide_atapi_cmd_ok(s);
|
||||
return;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Wed, 3 Jun 2015 14:41:27 +0200
|
||||
Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
|
||||
|
||||
This is additional hardening against an end_transfer_func that fails to
|
||||
clear the DRQ status bit. The bit must be unset as soon as the PIO
|
||||
transfer has completed, so it's better to do this in a central place
|
||||
instead of duplicating the code in all commands (and forgetting it in
|
||||
some).
|
||||
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
---
|
||||
hw/ide/core.c | 16 ++++++++++++----
|
||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
||||
index 44fcc23..50449ca 100644
|
||||
--- hw/ide/core.c
|
||||
+++ hw/ide/core.c
|
||||
@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
|
||||
*(uint16_t *)p = le16_to_cpu(val);
|
||||
p += 2;
|
||||
s->data_ptr = p;
|
||||
- if (p >= s->data_end)
|
||||
+ if (p >= s->data_end) {
|
||||
+ s->status &= ~DRQ_STAT;
|
||||
s->end_transfer_func(s);
|
||||
+ }
|
||||
}
|
||||
|
||||
uint32_t ide_data_readw(void *opaque, uint32_t addr)
|
||||
@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
|
||||
ret = cpu_to_le16(*(uint16_t *)p);
|
||||
p += 2;
|
||||
s->data_ptr = p;
|
||||
- if (p >= s->data_end)
|
||||
+ if (p >= s->data_end) {
|
||||
+ s->status &= ~DRQ_STAT;
|
||||
s->end_transfer_func(s);
|
||||
+ }
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
|
||||
*(uint32_t *)p = le32_to_cpu(val);
|
||||
p += 4;
|
||||
s->data_ptr = p;
|
||||
- if (p >= s->data_end)
|
||||
+ if (p >= s->data_end) {
|
||||
+ s->status &= ~DRQ_STAT;
|
||||
s->end_transfer_func(s);
|
||||
+ }
|
||||
}
|
||||
|
||||
uint32_t ide_data_readl(void *opaque, uint32_t addr)
|
||||
@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
|
||||
ret = cpu_to_le32(*(uint32_t *)p);
|
||||
p += 4;
|
||||
s->data_ptr = p;
|
||||
- if (p >= s->data_end)
|
||||
+ if (p >= s->data_end) {
|
||||
+ s->status &= ~DRQ_STAT;
|
||||
s->end_transfer_func(s);
|
||||
+ }
|
||||
return ret;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
This is a security patch addressing the Venom security issue (CVE-2015-3456)
|
||||
Patch pulled from qemu's git repository:
|
||||
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
|
||||
|
||||
--- hw/block/fdc.c
|
||||
+++ hw/block/fdc.c
|
||||
@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
uint32_t retval = 0;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
cur_drv = get_cur_drv(fdctrl);
|
||||
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
||||
@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
return 0;
|
||||
}
|
||||
pos = fdctrl->data_pos;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
if (fdctrl->msr & FD_MSR_NONDMA) {
|
||||
- pos %= FD_SECTOR_LEN;
|
||||
if (pos == 0) {
|
||||
if (fdctrl->data_pos != 0)
|
||||
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
||||
@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
|
||||
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
||||
{
|
||||
FDrive *cur_drv = get_cur_drv(fdctrl);
|
||||
+ uint32_t pos;
|
||||
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
||||
+ pos = fdctrl->data_pos - 1;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ if (fdctrl->fifo[pos] & 0x80) {
|
||||
/* Command parameters done */
|
||||
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
||||
+ if (fdctrl->fifo[pos] & 0x40) {
|
||||
fdctrl->fifo[0] = fdctrl->fifo[1];
|
||||
fdctrl->fifo[2] = 0;
|
||||
fdctrl->fifo[3] = 0;
|
||||
@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
|
||||
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
- int pos;
|
||||
+ uint32_t pos;
|
||||
|
||||
/* Reset mode */
|
||||
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
||||
@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
}
|
||||
|
||||
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
||||
- fdctrl->fifo[fdctrl->data_pos++] = value;
|
||||
+ pos = fdctrl->data_pos++;
|
||||
+ pos %= FD_SECTOR_LEN;
|
||||
+ fdctrl->fifo[pos] = value;
|
||||
if (fdctrl->data_pos == fdctrl->data_len) {
|
||||
/* We now have all parameters
|
||||
* and will be able to treat the command
|
|
@ -1,13 +1,13 @@
|
|||
# Template file for 'qemu'
|
||||
pkgname=qemu
|
||||
version=2.3.0
|
||||
revision=7
|
||||
version=2.4.0
|
||||
revision=1
|
||||
short_desc="Open Source Processor Emulator"
|
||||
maintainer="Juan RP <xtraeme@voidlinux.eu>"
|
||||
homepage="http://qemu.org"
|
||||
license="GPL-2, LGPL-2.1"
|
||||
distfiles="http://wiki.qemu.org/download/qemu-${version}.tar.bz2"
|
||||
checksum=b6bab7f763d5be73e7cb5ee7d4c8365b7a8df2972c52fa5ded18893bd8281588
|
||||
checksum=72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620
|
||||
|
||||
nostrip=yes
|
||||
hostmakedepends="pkg-config perl python automake libtool flex"
|
||||
|
|
Loading…
Reference in New Issue