Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 403210 Details for
Bug 549402
app-emulation/qemu security vulnerability CVE-2015-3456 ("Venom")
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch from qemu git
qemu-2.3.0-CVE-2015-3456.patch (text/plain), 2.75 KB, created by
Daniel Kenzelmann
on 2015-05-13 18:57:33 UTC
(
hide
)
Description:
Patch from qemu git
Filename:
MIME Type:
Creator:
Daniel Kenzelmann
Created:
2015-05-13 18:57:33 UTC
Size:
2.75 KB
patch
obsolete
>From: Petr Matousek <pmatouse@redhat.com> >Date: Wed, 6 May 2015 07:48:59 +0000 (+0200) >Subject: fdc: force the fifo access to be in bounds of the allocated buffer >X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c > >fdc: force the fifo access to be in bounds of the allocated buffer > >During processing of certain commands such as FD_CMD_READ_ID and >FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could >get out of bounds leading to memory corruption with values coming >from the guest. > >Fix this by making sure that the index is always bounded by the >allocated memory. > >This is CVE-2015-3456. > >Signed-off-by: Petr Matousek <pmatouse@redhat.com> >Reviewed-by: John Snow <jsnow@redhat.com> >Signed-off-by: John Snow <jsnow@redhat.com> >--- > >diff --git a/hw/block/fdc.c b/hw/block/fdc.c >index f72a392..d8a8edd 100644 >--- a/hw/block/fdc.c >+++ b/hw/block/fdc.c >@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) > { > FDrive *cur_drv; > uint32_t retval = 0; >- int pos; >+ uint32_t pos; > > cur_drv = get_cur_drv(fdctrl); > fdctrl->dsr &= ~FD_DSR_PWRDOWN; >@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) > return 0; > } > pos = fdctrl->data_pos; >+ pos %= FD_SECTOR_LEN; > if (fdctrl->msr & FD_MSR_NONDMA) { >- pos %= FD_SECTOR_LEN; > if (pos == 0) { > if (fdctrl->data_pos != 0) > if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { >@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) > static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) > { > FDrive *cur_drv = get_cur_drv(fdctrl); >+ uint32_t pos; > >- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { >+ pos = fdctrl->data_pos - 1; >+ pos %= FD_SECTOR_LEN; >+ if (fdctrl->fifo[pos] & 0x80) { > /* Command parameters done */ >- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { >+ if (fdctrl->fifo[pos] & 0x40) { > fdctrl->fifo[0] = fdctrl->fifo[1]; > fdctrl->fifo[2] = 0; > fdctrl->fifo[3] = 0; >@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; > static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) > { > FDrive *cur_drv; >- int pos; >+ uint32_t pos; > > /* Reset mode */ > if (!(fdctrl->dor & FD_DOR_nRESET)) { >@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) > } > > FLOPPY_DPRINTF("%s: %02x\n", __func__, value); >- fdctrl->fifo[fdctrl->data_pos++] = value; >+ pos = fdctrl->data_pos++; >+ pos %= FD_SECTOR_LEN; >+ fdctrl->fifo[pos] = value; > if (fdctrl->data_pos == fdctrl->data_len) { > /* We now have all parameters > * and will be able to treat the command
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 549402
: 403210