subject:"Re\: \[Qemu\-devel\] QEMU Various Vulnerabilities"

Re: [Qemu-devel] QEMU Various Vulnerabilities

2007-05-03 Thread Kirill A. Shutemov

On [Wed, 02.05.2007 18:21], malc wrote:
 On Wed, 2 May 2007, Kirill A. Shutemov wrote:
 
 http://secunia.com/advisories/25073/
 
 Any comments ?
 
 AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html
 SB16/DMA - in attachment

Thanks. Other Vulnerabilities?

-- 
Regards,  Kirill A. Shutemov
 + Belarus, Minsk
 + Velesys LLC, http://www.velesys.com/
 + ALT Linux Team, http://www.altlinux.com/


signature.asc
Description: Digital signature

Re: [Qemu-devel] QEMU Various Vulnerabilities

2007-05-03 Thread Juergen Lock

In article [EMAIL PROTECTED] Kirill A. Shutemov wrote:
On [Wed, 02.05.2007 18:21], malc wrote:
 On Wed, 2 May 2007, Kirill A. Shutemov wrote:
=20
 http://secunia.com/advisories/25073/
 
 Any comments ?
=20
 AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html
 SB16/DMA - in attachment

Thanks. Other Vulnerabilities?

Yesterday I added the debian security patch (90_security.patch from

http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1.diff.gz
) to the FreeBSD qemu ports (had to modify it slightly), cvsweb location
of the one for qemu 0.9.0 is here,

http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu/files/patch-90_security
and the one for the 20070405 cvs snapshot is here,

http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu-devel/files/patch-90_security
(I haven't checked if it still applies to today's cvs, but it might :)

 I also disabled the -vmwarevga acceleration code because of the missing
range checks, cvsweb of that patch is here,

http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu-devel/files/patch-hw-vmware_vga.c

 HTH,
Juergen

Re: [Qemu-devel] QEMU Various Vulnerabilities

2007-05-02 Thread malc


On Wed, 2 May 2007, Kirill A. Shutemov wrote:


http://secunia.com/advisories/25073/

Any comments ?


AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html
SB16/DMA - in attachment

--
valeIndex: hw/dma.c
===
RCS file: /cvsroot/qemu/qemu/hw/dma.c,v
retrieving revision 1.14
diff -u -r1.14 dma.c
--- hw/dma.c21 Nov 2005 23:29:55 -  1.14
+++ hw/dma.c2 May 2007 14:23:19 -
@@ -438,6 +438,13 @@
 write_cont (d, (0x0d  d-dshift), 0);
 }
 
+static int dma_phony_handler (void *opaque, int nchan, int dma_pos, int 
dma_len)
+{
+dolog (unregistered DMA channel used nchan=%d dma_pos=%d dma_len=%d\n,
+   nchan, dma_pos, dma_len);
+return dma_pos;
+}
+
 /* dshift = 0: 8 bit DMA, 1 = 16 bit DMA */
 static void dma_init2(struct dma_cont *d, int base, int dshift,
   int page_base, int pageh_base)
@@ -470,6 +477,9 @@
 }
 qemu_register_reset(dma_reset, d);
 dma_reset(d);
+for (i = 0; i  LENOFA (d-regs); ++i) {
+d-regs[i].transfer_handler = dma_phony_handler;
+}
 }
 
 static void dma_save (QEMUFile *f, void *opaque)
Index: hw/sb16.c
===
RCS file: /cvsroot/qemu/qemu/hw/sb16.c,v
retrieving revision 1.23
diff -u -r1.23 sb16.c
--- hw/sb16.c   7 Apr 2007 18:14:41 -   1.23
+++ hw/sb16.c   2 May 2007 14:23:19 -
@@ -1189,6 +1189,12 @@
 SB16State *s = opaque;
 int till, copy, written, free;
 
+if (s-block_size = 0) {
+dolog (invalid block size=%d nchan=%d dma_pos=%d dma_len=%d\n,
+   s-block_size, nchan, dma_pos, dma_len);
+return dma_pos;
+}
+
 if (s-left_till_irq  0) {
 s-left_till_irq = s-block_size;
 }

Re: [Qemu-devel] QEMU Various Vulnerabilities

Re: [Qemu-devel] QEMU Various Vulnerabilities

Re: [Qemu-devel] QEMU Various Vulnerabilities

3 matches

Site Navigation

Mail list logo

Footer information