[arch-commits] Commit in qemu/trunk (4 files)

Sébastien Luttringer seblu at archlinux.org
Tue Jul 28 23:23:27 UTC 2015


    Date: Wednesday, July 29, 2015 @ 01:23:27
  Author: seblu
Revision: 242633

upgpkg: qemu 2.3.0-5

- fix CVE-2015-3214 CVE-2015-5154 CVE-2015-5158

Added:
  qemu/trunk/CVE-2015-3214.patch
  qemu/trunk/CVE-2015-5154.patch
  qemu/trunk/CVE-2015-5158.patch
Modified:
  qemu/trunk/PKGBUILD

---------------------+
 CVE-2015-3214.patch |   40 +++++++++++
 CVE-2015-5154.patch |  175 ++++++++++++++++++++++++++++++++++++++++++++++++++
 CVE-2015-5158.patch |   46 +++++++++++++
 PKGBUILD            |   33 ++++++---
 4 files changed, 283 insertions(+), 11 deletions(-)

Added: CVE-2015-3214.patch
===================================================================
--- CVE-2015-3214.patch	                        (rev 0)
+++ CVE-2015-3214.patch	2015-07-28 23:23:27 UTC (rev 242633)
@@ -0,0 +1,40 @@
+From 7d08e1fae6150a3c0867dba6f75cf00946b3163c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse at redhat.com>
+Date: Tue, 2 Jun 2015 14:32:06 +0200
+Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read()
+
+Due converting PIO to the new memory read/write api we no longer provide
+separate I/O region lenghts for read and write operations. As a result,
+reading from PIT Mode/Command register will end with accessing
+pit->channels with invalid index.
+
+Fix this by ignoring read from the Mode/Command register.
+
+This is CVE-2015-3214.
+
+Signed-off-by: Petr Matousek <pmatouse at redhat.com>
+Reported-by: Matt Tait <matttait at google.com>
+---
+ hw/timer/i8254.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
+index 3450c98..9b65a33 100644
+--- a/hw/timer/i8254.c
++++ b/hw/timer/i8254.c
+@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
+     PITChannelState *s;
+ 
+     addr &= 3;
++
++    if (addr == 3) {
++        /* Mode/Command register is write only, read is ignored */
++        return 0;
++    }
++
+     s = &pit->channels[addr];
+     if (s->status_latched) {
+         s->status_latched = 0;
+-- 
+2.1.0
+

Added: CVE-2015-5154.patch
===================================================================
--- CVE-2015-5154.patch	                        (rev 0)
+++ CVE-2015-5154.patch	2015-07-28 23:23:27 UTC (rev 242633)
@@ -0,0 +1,175 @@
+From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 3 Jun 2015 14:13:31 +0200
+Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
+ (CVE-2015-5154)
+
+If the end_transfer_func of a command is called because enough data has
+been read or written for the current PIO transfer, and it fails to
+correctly call the command completion functions, the DRQ bit in the
+status register and s->end_transfer_func may remain set. This allows the
+guest to access further bytes in s->io_buffer beyond s->data_end, and
+eventually overflowing the io_buffer.
+
+One case where this currently happens is emulation of the ATAPI command
+START STOP UNIT.
+
+This patch fixes the problem by adding explicit array bounds checks
+before accessing the buffer instead of relying on end_transfer_func to
+function correctly.
+
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+---
+ hw/ide/core.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 122e955..44fcc23 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
+     }
+ 
+     p = s->data_ptr;
++    if (p + 2 > s->data_end) {
++        return;
++    }
++
+     *(uint16_t *)p = le16_to_cpu(val);
+     p += 2;
+     s->data_ptr = p;
+@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+     }
+ 
+     p = s->data_ptr;
++    if (p + 2 > s->data_end) {
++        return 0;
++    }
++
+     ret = cpu_to_le16(*(uint16_t *)p);
+     p += 2;
+     s->data_ptr = p;
+@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
+     }
+ 
+     p = s->data_ptr;
++    if (p + 4 > s->data_end) {
++        return;
++    }
++
+     *(uint32_t *)p = le32_to_cpu(val);
+     p += 4;
+     s->data_ptr = p;
+@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+     }
+ 
+     p = s->data_ptr;
++    if (p + 4 > s->data_end) {
++        return 0;
++    }
++
+     ret = cpu_to_le32(*(uint32_t *)p);
+     p += 4;
+     s->data_ptr = p;
+-- 
+1.8.3.1
+From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 3 Jun 2015 14:17:46 +0200
+Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
+
+The command must be completed on all code paths. START STOP UNIT with
+pwrcnd set should succeed without doing anything.
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+---
+ hw/ide/atapi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 950e311..79dd167 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
+
+     if (pwrcnd) {
+         /* eject/load only happens for power condition == 0 */
++        ide_atapi_cmd_ok(s);
+         return;
+     }
+
+--
+1.8.3.1
+
+From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 3 Jun 2015 14:41:27 +0200
+Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
+
+This is additional hardening against an end_transfer_func that fails to
+clear the DRQ status bit. The bit must be unset as soon as the PIO
+transfer has completed, so it's better to do this in a central place
+instead of duplicating the code in all commands (and forgetting it in
+some).
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+---
+ hw/ide/core.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 44fcc23..50449ca 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
+     *(uint16_t *)p = le16_to_cpu(val);
+     p += 2;
+     s->data_ptr = p;
+-    if (p >= s->data_end)
++    if (p >= s->data_end) {
++        s->status &= ~DRQ_STAT;
+         s->end_transfer_func(s);
++    }
+ }
+
+ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+     ret = cpu_to_le16(*(uint16_t *)p);
+     p += 2;
+     s->data_ptr = p;
+-    if (p >= s->data_end)
++    if (p >= s->data_end) {
++        s->status &= ~DRQ_STAT;
+         s->end_transfer_func(s);
++    }
+     return ret;
+ }
+
+@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
+     *(uint32_t *)p = le32_to_cpu(val);
+     p += 4;
+     s->data_ptr = p;
+-    if (p >= s->data_end)
++    if (p >= s->data_end) {
++        s->status &= ~DRQ_STAT;
+         s->end_transfer_func(s);
++    }
+ }
+
+ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+     ret = cpu_to_le32(*(uint32_t *)p);
+     p += 4;
+     s->data_ptr = p;
+-    if (p >= s->data_end)
++    if (p >= s->data_end) {
++        s->status &= ~DRQ_STAT;
+         s->end_transfer_func(s);
++    }
+     return ret;
+ }
+
+--
+1.8.3.1
+

Added: CVE-2015-5158.patch
===================================================================
--- CVE-2015-5158.patch	                        (rev 0)
+++ CVE-2015-5158.patch	2015-07-28 23:23:27 UTC (rev 242633)
@@ -0,0 +1,46 @@
+From c170aad8b057223b1139d72e5ce7acceafab4fa9 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Tue, 21 Jul 2015 08:59:39 +0200
+Subject: [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb
+ (CVE-2015-5158)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a guest-triggerable buffer overflow present in QEMU 2.2.0
+and newer.  scsi_cdb_length returns -1 as an error value, but the
+caller does not check it.
+
+Luckily, the massive overflow means that QEMU will just SIGSEGV,
+making the impact much smaller.
+
+Reported-by: Zhu Donghai (朱东海) <donghai.zdh at alibaba-inc.com>
+Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
+Reviewed-by: Fam Zheng <famz at redhat.com>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ hw/scsi/scsi-bus.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
+index f50b2f0..f0ae462 100644
+--- a/hw/scsi/scsi-bus.c
++++ b/hw/scsi/scsi-bus.c
+@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
+ int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
+ {
+     int rc;
++    int len;
+ 
+     cmd->lba = -1;
+-    cmd->len = scsi_cdb_length(buf);
++    len = scsi_cdb_length(buf);
++    if (len < 0) {
++        return -1;
++    }
+ 
++    cmd->len = len;
+     switch (dev->type) {
+     case TYPE_TAPE:
+         rc = scsi_req_stream_xfer(cmd, dev, buf);

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2015-07-28 23:20:50 UTC (rev 242632)
+++ PKGBUILD	2015-07-28 23:23:27 UTC (rev 242633)
@@ -2,7 +2,7 @@
 # Maintainer: Tobias Powalowski <tpowa at archlinux.org>
 pkgname=('qemu' 'libcacard')
 pkgver=2.3.0
-pkgrel=4
+pkgrel=5
 arch=('i686' 'x86_64')
 license=('GPL2' 'LGPL2.1')
 url="http://wiki.qemu.org/Index.html"
@@ -14,11 +14,23 @@
 options=(!strip)
 source=(http://wiki.qemu.org/download/${pkgname}-${pkgver}.tar.bz2
         CVE-2015-3456.patch
+        CVE-2015-5154.patch
+        CVE-2015-3214.patch
+        CVE-2015-5158.patch
         65-kvm.rules)
+md5sums=('2fab3ea4460de9b57192e5b8b311f221'
+         '5e8a68940c4e0267e795a6ddd144e00e'
+         '311d3845dda4795bf63107c3dcbf2bea'
+         '29840d5f2fa93ff447bf9dd120d12e5a'
+         'cd87c265dfec4d8aa3767d5d047cd397'
+         '33ab286a20242dda7743a900f369d68a')
 
 prepare() {
-  cd "${srcdir}/${pkgname}-${pkgver}"
-  patch -p1 -i ${srcdir}/CVE-2015-3456.patch
+  for _p in *.patch; do
+    [[ -e "$_p" ]] || continue
+  msg2 "Patching $_p"
+    patch -p1 -d ${pkgname}-${pkgver} < "$_p"
+  done
 }
 
 build ()
@@ -48,11 +60,11 @@
   backup=('etc/qemu/target-x86_64.conf')
   replaces=('qemu-kvm')
   optdepends=('samba: for SMB server support'
-			  'libssh2: for remote disks over ssh support'
-			  'curl: for remote disks over http/ftp support'
-              'libiscsi: for iSCSI support'
-              'ceph: for RDB support'
-			  'glusterfs: for glusterfs support')
+        'libssh2: for remote disks over ssh support'
+        'curl: for remote disks over http/ftp support'
+        'libiscsi: for iSCSI support'
+        'ceph: for RDB support'
+        'glusterfs: for glusterfs support')
   install=qemu.install
   cd "${srcdir}/${pkgname}-${pkgver}"
   make DESTDIR="${pkgdir}" libexecdir="/usr/lib/qemu" install
@@ -101,6 +113,5 @@
  cp -a ${srcdir}/qemu-${pkgver}/libcacard.pc ${pkgdir}/usr/lib/pkgconfig/
  cp -a ${srcdir}/qemu-${pkgver}/.libs/vscclient ${pkgdir}/usr/bin/
 }
-md5sums=('2fab3ea4460de9b57192e5b8b311f221'
-         '5e8a68940c4e0267e795a6ddd144e00e'
-         '33ab286a20242dda7743a900f369d68a')
+
+# vim:set ts=2 sw=2 et:



More information about the arch-commits mailing list