From 55b085e26c846176af7ed0c048a833715c55b491 Mon Sep 17 00:00:00 2001 From: "Edward W. Koenig" Date: Thu, 14 May 2015 23:25:41 +0700 Subject: system/qemu: Added patch to fix VENOM vulnerability. Signed-off-by: Willy Sudiarto Raharjo --- system/qemu/qemu.SlackBuild | 6 ++++- system/qemu/qemu_venom.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 system/qemu/qemu_venom.patch diff --git a/system/qemu/qemu.SlackBuild b/system/qemu/qemu.SlackBuild index 25d568b7cf..c9c7c4698f 100644 --- a/system/qemu/qemu.SlackBuild +++ b/system/qemu/qemu.SlackBuild @@ -39,10 +39,11 @@ # 1.6a 23-NOV-2014 added overlooked AUDIODRIVERS switch per SBo list # 1.7 01-JAN-2015 updated to 2.2.0 ; build and link static libusb option (rw, tm, SBo list) # 1.8 27-APR-2015 updated to version 2.3.0 +# 1.9 14-MAY-2015 patched for "Venom" CVE-2015-3456 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c PRGNAM=qemu VERSION=${VERSION:-2.3.0} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} KVMGROUP=${KVMGROUP:-users} @@ -136,6 +137,9 @@ if [ "$LIBUSB" = "yes" ]; then USBSTATIC="$TMP/$PRGNAM-$VERSION/libusb-static/lib/pkgconfig" fi +# patch Venom bug CVE-2015-3456 +patch -p1 < $CWD/qemu_venom.patch + PKG_CONFIG_PATH+="${USBSTATIC}" \ CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ diff --git a/system/qemu/qemu_venom.patch b/system/qemu/qemu_venom.patch new file mode 100644 index 0000000000..00439e5828 --- /dev/null +++ b/system/qemu/qemu_venom.patch @@ -0,0 +1,58 @@ +index f72a392..d8a8edd 100644 (file) +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command \ No newline at end of file -- cgit v1.2.3