[arch-commits] Commit in qemu/trunk (4 files)
Sébastien Luttringer
seblu at archlinux.org
Tue Jul 28 23:23:27 UTC 2015
Date: Wednesday, July 29, 2015 @ 01:23:27
Author: seblu
Revision: 242633
upgpkg: qemu 2.3.0-5
- fix CVE-2015-3214 CVE-2015-5154 CVE-2015-5158
Added:
qemu/trunk/CVE-2015-3214.patch
qemu/trunk/CVE-2015-5154.patch
qemu/trunk/CVE-2015-5158.patch
Modified:
qemu/trunk/PKGBUILD
---------------------+
CVE-2015-3214.patch | 40 +++++++++++
CVE-2015-5154.patch | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++
CVE-2015-5158.patch | 46 +++++++++++++
PKGBUILD | 33 ++++++---
4 files changed, 283 insertions(+), 11 deletions(-)
Added: CVE-2015-3214.patch
===================================================================
--- CVE-2015-3214.patch (rev 0)
+++ CVE-2015-3214.patch 2015-07-28 23:23:27 UTC (rev 242633)
@@ -0,0 +1,40 @@
+From 7d08e1fae6150a3c0867dba6f75cf00946b3163c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse at redhat.com>
+Date: Tue, 2 Jun 2015 14:32:06 +0200
+Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read()
+
+Due converting PIO to the new memory read/write api we no longer provide
+separate I/O region lenghts for read and write operations. As a result,
+reading from PIT Mode/Command register will end with accessing
+pit->channels with invalid index.
+
+Fix this by ignoring read from the Mode/Command register.
+
+This is CVE-2015-3214.
+
+Signed-off-by: Petr Matousek <pmatouse at redhat.com>
+Reported-by: Matt Tait <matttait at google.com>
+---
+ hw/timer/i8254.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
+index 3450c98..9b65a33 100644
+--- a/hw/timer/i8254.c
++++ b/hw/timer/i8254.c
+@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
+ PITChannelState *s;
+
+ addr &= 3;
++
++ if (addr == 3) {
++ /* Mode/Command register is write only, read is ignored */
++ return 0;
++ }
++
+ s = &pit->channels[addr];
+ if (s->status_latched) {
+ s->status_latched = 0;
+--
+2.1.0
+
Added: CVE-2015-5154.patch
===================================================================
--- CVE-2015-5154.patch (rev 0)
+++ CVE-2015-5154.patch 2015-07-28 23:23:27 UTC (rev 242633)
@@ -0,0 +1,175 @@
+From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 3 Jun 2015 14:13:31 +0200
+Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
+ (CVE-2015-5154)
+
+If the end_transfer_func of a command is called because enough data has
+been read or written for the current PIO transfer, and it fails to
+correctly call the command completion functions, the DRQ bit in the
+status register and s->end_transfer_func may remain set. This allows the
+guest to access further bytes in s->io_buffer beyond s->data_end, and
+eventually overflowing the io_buffer.
+
+One case where this currently happens is emulation of the ATAPI command
+START STOP UNIT.
+
+This patch fixes the problem by adding explicit array bounds checks
+before accessing the buffer instead of relying on end_transfer_func to
+function correctly.
+
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+---
+ hw/ide/core.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 122e955..44fcc23 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
+ }
+
+ p = s->data_ptr;
++ if (p + 2 > s->data_end) {
++ return;
++ }
++
+ *(uint16_t *)p = le16_to_cpu(val);
+ p += 2;
+ s->data_ptr = p;
+@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+ }
+
+ p = s->data_ptr;
++ if (p + 2 > s->data_end) {
++ return 0;
++ }
++
+ ret = cpu_to_le16(*(uint16_t *)p);
+ p += 2;
+ s->data_ptr = p;
+@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
+ }
+
+ p = s->data_ptr;
++ if (p + 4 > s->data_end) {
++ return;
++ }
++
+ *(uint32_t *)p = le32_to_cpu(val);
+ p += 4;
+ s->data_ptr = p;
+@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+ }
+
+ p = s->data_ptr;
++ if (p + 4 > s->data_end) {
++ return 0;
++ }
++
+ ret = cpu_to_le32(*(uint32_t *)p);
+ p += 4;
+ s->data_ptr = p;
+--
+1.8.3.1
+From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 3 Jun 2015 14:17:46 +0200
+Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
+
+The command must be completed on all code paths. START STOP UNIT with
+pwrcnd set should succeed without doing anything.
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+---
+ hw/ide/atapi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 950e311..79dd167 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
+
+ if (pwrcnd) {
+ /* eject/load only happens for power condition == 0 */
++ ide_atapi_cmd_ok(s);
+ return;
+ }
+
+--
+1.8.3.1
+
+From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 3 Jun 2015 14:41:27 +0200
+Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
+
+This is additional hardening against an end_transfer_func that fails to
+clear the DRQ status bit. The bit must be unset as soon as the PIO
+transfer has completed, so it's better to do this in a central place
+instead of duplicating the code in all commands (and forgetting it in
+some).
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+---
+ hw/ide/core.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 44fcc23..50449ca 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
+ *(uint16_t *)p = le16_to_cpu(val);
+ p += 2;
+ s->data_ptr = p;
+- if (p >= s->data_end)
++ if (p >= s->data_end) {
++ s->status &= ~DRQ_STAT;
+ s->end_transfer_func(s);
++ }
+ }
+
+ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+ ret = cpu_to_le16(*(uint16_t *)p);
+ p += 2;
+ s->data_ptr = p;
+- if (p >= s->data_end)
++ if (p >= s->data_end) {
++ s->status &= ~DRQ_STAT;
+ s->end_transfer_func(s);
++ }
+ return ret;
+ }
+
+@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
+ *(uint32_t *)p = le32_to_cpu(val);
+ p += 4;
+ s->data_ptr = p;
+- if (p >= s->data_end)
++ if (p >= s->data_end) {
++ s->status &= ~DRQ_STAT;
+ s->end_transfer_func(s);
++ }
+ }
+
+ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+ ret = cpu_to_le32(*(uint32_t *)p);
+ p += 4;
+ s->data_ptr = p;
+- if (p >= s->data_end)
++ if (p >= s->data_end) {
++ s->status &= ~DRQ_STAT;
+ s->end_transfer_func(s);
++ }
+ return ret;
+ }
+
+--
+1.8.3.1
+
Added: CVE-2015-5158.patch
===================================================================
--- CVE-2015-5158.patch (rev 0)
+++ CVE-2015-5158.patch 2015-07-28 23:23:27 UTC (rev 242633)
@@ -0,0 +1,46 @@
+From c170aad8b057223b1139d72e5ce7acceafab4fa9 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Tue, 21 Jul 2015 08:59:39 +0200
+Subject: [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb
+ (CVE-2015-5158)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a guest-triggerable buffer overflow present in QEMU 2.2.0
+and newer. scsi_cdb_length returns -1 as an error value, but the
+caller does not check it.
+
+Luckily, the massive overflow means that QEMU will just SIGSEGV,
+making the impact much smaller.
+
+Reported-by: Zhu Donghai (朱东海) <donghai.zdh at alibaba-inc.com>
+Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
+Reviewed-by: Fam Zheng <famz at redhat.com>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ hw/scsi/scsi-bus.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
+index f50b2f0..f0ae462 100644
+--- a/hw/scsi/scsi-bus.c
++++ b/hw/scsi/scsi-bus.c
+@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
+ int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
+ {
+ int rc;
++ int len;
+
+ cmd->lba = -1;
+- cmd->len = scsi_cdb_length(buf);
++ len = scsi_cdb_length(buf);
++ if (len < 0) {
++ return -1;
++ }
+
++ cmd->len = len;
+ switch (dev->type) {
+ case TYPE_TAPE:
+ rc = scsi_req_stream_xfer(cmd, dev, buf);
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2015-07-28 23:20:50 UTC (rev 242632)
+++ PKGBUILD 2015-07-28 23:23:27 UTC (rev 242633)
@@ -2,7 +2,7 @@
# Maintainer: Tobias Powalowski <tpowa at archlinux.org>
pkgname=('qemu' 'libcacard')
pkgver=2.3.0
-pkgrel=4
+pkgrel=5
arch=('i686' 'x86_64')
license=('GPL2' 'LGPL2.1')
url="http://wiki.qemu.org/Index.html"
@@ -14,11 +14,23 @@
options=(!strip)
source=(http://wiki.qemu.org/download/${pkgname}-${pkgver}.tar.bz2
CVE-2015-3456.patch
+ CVE-2015-5154.patch
+ CVE-2015-3214.patch
+ CVE-2015-5158.patch
65-kvm.rules)
+md5sums=('2fab3ea4460de9b57192e5b8b311f221'
+ '5e8a68940c4e0267e795a6ddd144e00e'
+ '311d3845dda4795bf63107c3dcbf2bea'
+ '29840d5f2fa93ff447bf9dd120d12e5a'
+ 'cd87c265dfec4d8aa3767d5d047cd397'
+ '33ab286a20242dda7743a900f369d68a')
prepare() {
- cd "${srcdir}/${pkgname}-${pkgver}"
- patch -p1 -i ${srcdir}/CVE-2015-3456.patch
+ for _p in *.patch; do
+ [[ -e "$_p" ]] || continue
+ msg2 "Patching $_p"
+ patch -p1 -d ${pkgname}-${pkgver} < "$_p"
+ done
}
build ()
@@ -48,11 +60,11 @@
backup=('etc/qemu/target-x86_64.conf')
replaces=('qemu-kvm')
optdepends=('samba: for SMB server support'
- 'libssh2: for remote disks over ssh support'
- 'curl: for remote disks over http/ftp support'
- 'libiscsi: for iSCSI support'
- 'ceph: for RDB support'
- 'glusterfs: for glusterfs support')
+ 'libssh2: for remote disks over ssh support'
+ 'curl: for remote disks over http/ftp support'
+ 'libiscsi: for iSCSI support'
+ 'ceph: for RDB support'
+ 'glusterfs: for glusterfs support')
install=qemu.install
cd "${srcdir}/${pkgname}-${pkgver}"
make DESTDIR="${pkgdir}" libexecdir="/usr/lib/qemu" install
@@ -101,6 +113,5 @@
cp -a ${srcdir}/qemu-${pkgver}/libcacard.pc ${pkgdir}/usr/lib/pkgconfig/
cp -a ${srcdir}/qemu-${pkgver}/.libs/vscclient ${pkgdir}/usr/bin/
}
-md5sums=('2fab3ea4460de9b57192e5b8b311f221'
- '5e8a68940c4e0267e795a6ddd144e00e'
- '33ab286a20242dda7743a900f369d68a')
+
+# vim:set ts=2 sw=2 et:
More information about the arch-commits
mailing list