From 7cb6f648b2486b0e6060a333564432a0830637de Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 18 Aug 2015 22:23:57 -0400 Subject: gnu: qemu: Update to 2.3.1. Add fix for CVE-2015-5745. * gnu/packages/patches/qemu-CVE-2015-5745.patch: New file. * gnu/packages/patches/qemu-CVE-2015-3456.patch, gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch, gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch, gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch, gnu/packages/patches/qemu-CVE-2015-5158.patch: Delete files. * gnu-system.am (dist_patch_DATA): Add new file and remove the deleted ones. * gnu/packages/qemu.scm (qemu): Update to 2.3.1. Add new patch and remove the deleted ones. --- gnu-system.am | 6 +- gnu/packages/patches/qemu-CVE-2015-3456.patch | 85 ----------------------- gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch | 76 -------------------- gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch | 28 -------- gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch | 71 ------------------- gnu/packages/patches/qemu-CVE-2015-5158.patch | 45 ------------ gnu/packages/patches/qemu-CVE-2015-5745.patch | 32 +++++++++ gnu/packages/qemu.scm | 10 +-- 8 files changed, 36 insertions(+), 317 deletions(-) delete mode 100644 gnu/packages/patches/qemu-CVE-2015-3456.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2015-5158.patch create mode 100644 gnu/packages/patches/qemu-CVE-2015-5745.patch diff --git a/gnu-system.am b/gnu-system.am index 9f46f7b7e4..147abfc0d6 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -607,7 +607,6 @@ dist_patch_DATA = \ gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \ gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ gnu/packages/patches/qemu-CVE-2015-3209.patch \ - gnu/packages/patches/qemu-CVE-2015-3456.patch \ gnu/packages/patches/qemu-CVE-2015-4037.patch \ gnu/packages/patches/qemu-CVE-2015-4103.patch \ gnu/packages/patches/qemu-CVE-2015-4104.patch \ @@ -620,10 +619,7 @@ dist_patch_DATA = \ gnu/packages/patches/qemu-CVE-2015-4106-pt6.patch \ gnu/packages/patches/qemu-CVE-2015-4106-pt7.patch \ gnu/packages/patches/qemu-CVE-2015-4106-pt8.patch \ - gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch \ - gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch \ - gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch \ - gnu/packages/patches/qemu-CVE-2015-5158.patch \ + gnu/packages/patches/qemu-CVE-2015-5745.patch \ gnu/packages/patches/qt4-ldflags.patch \ gnu/packages/patches/qt4-tests.patch \ gnu/packages/patches/qt5-runpath.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2015-3456.patch b/gnu/packages/patches/qemu-CVE-2015-3456.patch deleted file mode 100644 index 9514f7c3e5..0000000000 --- a/gnu/packages/patches/qemu-CVE-2015-3456.patch +++ /dev/null @@ -1,85 +0,0 @@ -From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated - buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek -Reviewed-by: John Snow -Signed-off-by: John Snow ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -2.2.1 - diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch deleted file mode 100644 index 8a41848ddf..0000000000 --- a/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:13:31 +0200 -Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf ---- - hw/ide/core.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 122e955..44fcc23 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; --- -1.8.3.1 diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch deleted file mode 100644 index f860cfa3db..0000000000 --- a/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch +++ /dev/null @@ -1,28 +0,0 @@ -From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:17:46 +0200 -Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion - -The command must be completed on all code paths. START STOP UNIT with -pwrcnd set should succeed without doing anything. - -Signed-off-by: Kevin Wolf ---- - hw/ide/atapi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c -index 950e311..79dd167 100644 ---- a/hw/ide/atapi.c -+++ b/hw/ide/atapi.c -@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) - - if (pwrcnd) { - /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); - return; - } - --- -1.8.3.1 - diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch deleted file mode 100644 index 3ade9b1600..0000000000 --- a/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:41:27 +0200 -Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf ---- - hw/ide/core.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 44fcc23..50449ca 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - --- -1.8.3.1 - diff --git a/gnu/packages/patches/qemu-CVE-2015-5158.patch b/gnu/packages/patches/qemu-CVE-2015-5158.patch deleted file mode 100644 index bedbfc8fa4..0000000000 --- a/gnu/packages/patches/qemu-CVE-2015-5158.patch +++ /dev/null @@ -1,45 +0,0 @@ -c170aad8b057223b1139d72e5ce7acceafab4fa9 -Author: Paolo Bonzini -Date: Tue Jul 21 08:59:39 2015 +0200 - - scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) - - This is a guest-triggerable buffer overflow present in QEMU 2.2.0 - and newer. scsi_cdb_length returns -1 as an error value, but the - caller does not check it. - - Luckily, the massive overflow means that QEMU will just SIGSEGV, - making the impact much smaller. - - Reported-by: Zhu Donghai (朱东海) - Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 - Reviewed-by: Fam Zheng - Cc: qemu-stable@nongnu.org - Signed-off-by: Paolo Bonzini - -1 file changed, 6 insertions(+), 1 deletion(-) - hw/scsi/scsi-bus.c | 7 ++++++- - - Modified hw/scsi/scsi-bus.c -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index f50b2f0..f0ae462 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { - int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) - { - int rc; -+ int len; - - cmd->lba = -1; -- cmd->len = scsi_cdb_length(buf); -+ len = scsi_cdb_length(buf); -+ if (len < 0) { -+ return -1; -+ } - -+ cmd->len = len; - switch (dev->type) { - case TYPE_TAPE: - rc = scsi_req_stream_xfer(cmd, dev, buf); - diff --git a/gnu/packages/patches/qemu-CVE-2015-5745.patch b/gnu/packages/patches/qemu-CVE-2015-5745.patch new file mode 100644 index 0000000000..2326279026 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-5745.patch @@ -0,0 +1,32 @@ +From 7882080388be5088e72c425b02223c02e6cb4295 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 23 Jul 2015 17:52:02 +0300 +Subject: [PATCH] virtio-serial: fix ANY_LAYOUT + +Don't assume a specific layout for control messages. +Required by virtio 1. + +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Amit Shah +Reviewed-by: Jason Wang +--- + hw/char/virtio-serial-bus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c +index 78c73e5..929e49c 100644 +--- a/hw/char/virtio-serial-bus.c ++++ b/hw/char/virtio-serial-bus.c +@@ -195,7 +195,8 @@ static size_t send_control_msg(VirtIOSerial *vser, void *buf, size_t len) + return 0; + } + +- memcpy(elem.in_sg[0].iov_base, buf, len); ++ /* TODO: detect a buffer that's too short, set NEEDS_RESET */ ++ iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len); + + virtqueue_push(vq, &elem, len); + virtio_notify(VIRTIO_DEVICE(vser), vq); +-- +2.4.3 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 6979655122..b2ef95d03b 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -44,16 +44,15 @@ (define-public qemu-headless ;; This is QEMU without GUI support. (package (name "qemu-headless") - (version "2.3.0") + (version "2.3.1") (source (origin (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qemu-" version ".tar.bz2")) (sha256 (base32 - "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn")) + "0px1vhkglxzjdxkkqln98znv832n1sn79g5inh3aw72216c047b6")) (patches (map search-patch '("qemu-CVE-2015-3209.patch" - "qemu-CVE-2015-3456.patch" "qemu-CVE-2015-4037.patch" "qemu-CVE-2015-4103.patch" "qemu-CVE-2015-4104.patch" @@ -66,10 +65,7 @@ (define-public qemu-headless "qemu-CVE-2015-4106-pt6.patch" "qemu-CVE-2015-4106-pt7.patch" "qemu-CVE-2015-4106-pt8.patch" - "qemu-CVE-2015-5154-pt1.patch" - "qemu-CVE-2015-5154-pt2.patch" - "qemu-CVE-2015-5154-pt3.patch" - "qemu-CVE-2015-5158.patch"))))) + "qemu-CVE-2015-5745.patch"))))) (build-system gnu-build-system) (arguments '(#:phases (alist-replace -- cgit v1.2.3