Re: [Qemu-devel] QEMU Various Vulnerabilities
On [Wed, 02.05.2007 18:21], malc wrote: On Wed, 2 May 2007, Kirill A. Shutemov wrote: http://secunia.com/advisories/25073/ Any comments ? AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html SB16/DMA - in attachment Thanks. Other Vulnerabilities? -- Regards, Kirill A. Shutemov + Belarus, Minsk + Velesys LLC, http://www.velesys.com/ + ALT Linux Team, http://www.altlinux.com/ signature.asc Description: Digital signature
Re: [Qemu-devel] QEMU Various Vulnerabilities
In article [EMAIL PROTECTED] Kirill A. Shutemov wrote: On [Wed, 02.05.2007 18:21], malc wrote: On Wed, 2 May 2007, Kirill A. Shutemov wrote: =20 http://secunia.com/advisories/25073/ Any comments ? =20 AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html SB16/DMA - in attachment Thanks. Other Vulnerabilities? Yesterday I added the debian security patch (90_security.patch from http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1.diff.gz ) to the FreeBSD qemu ports (had to modify it slightly), cvsweb location of the one for qemu 0.9.0 is here, http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu/files/patch-90_security and the one for the 20070405 cvs snapshot is here, http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu-devel/files/patch-90_security (I haven't checked if it still applies to today's cvs, but it might :) I also disabled the -vmwarevga acceleration code because of the missing range checks, cvsweb of that patch is here, http://www.freebsd.org/cgi/cvsweb.cgi/ports/emulators/qemu-devel/files/patch-hw-vmware_vga.c HTH, Juergen
Re: [Qemu-devel] QEMU Various Vulnerabilities
On Wed, 2 May 2007, Kirill A. Shutemov wrote: http://secunia.com/advisories/25073/ Any comments ? AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html SB16/DMA - in attachment -- valeIndex: hw/dma.c === RCS file: /cvsroot/qemu/qemu/hw/dma.c,v retrieving revision 1.14 diff -u -r1.14 dma.c --- hw/dma.c21 Nov 2005 23:29:55 - 1.14 +++ hw/dma.c2 May 2007 14:23:19 - @@ -438,6 +438,13 @@ write_cont (d, (0x0d d-dshift), 0); } +static int dma_phony_handler (void *opaque, int nchan, int dma_pos, int dma_len) +{ +dolog (unregistered DMA channel used nchan=%d dma_pos=%d dma_len=%d\n, + nchan, dma_pos, dma_len); +return dma_pos; +} + /* dshift = 0: 8 bit DMA, 1 = 16 bit DMA */ static void dma_init2(struct dma_cont *d, int base, int dshift, int page_base, int pageh_base) @@ -470,6 +477,9 @@ } qemu_register_reset(dma_reset, d); dma_reset(d); +for (i = 0; i LENOFA (d-regs); ++i) { +d-regs[i].transfer_handler = dma_phony_handler; +} } static void dma_save (QEMUFile *f, void *opaque) Index: hw/sb16.c === RCS file: /cvsroot/qemu/qemu/hw/sb16.c,v retrieving revision 1.23 diff -u -r1.23 sb16.c --- hw/sb16.c 7 Apr 2007 18:14:41 - 1.23 +++ hw/sb16.c 2 May 2007 14:23:19 - @@ -1189,6 +1189,12 @@ SB16State *s = opaque; int till, copy, written, free; +if (s-block_size = 0) { +dolog (invalid block size=%d nchan=%d dma_pos=%d dma_len=%d\n, + s-block_size, nchan, dma_pos, dma_len); +return dma_pos; +} + if (s-left_till_irq 0) { s-left_till_irq = s-block_size; }