cardoe      15/07/27 19:32:48

  Added:                qemu-2.3.0-CVE-2015-5154-1.patch
                        qemu-2.3.0-CVE-2015-5154-2.patch
                        qemu-2.3.0-CVE-2015-5154-3.patch
                        qemu-2.3.0-CVE-2015-3214.patch
  Log:
  Fix for CVE-2015-3214, handle out-of-bounds memory access when reading
  from the PIT Mode/Command register. Fix for CVE-2015-5154, handle ATAPI
  heap overflow during I/O access.
  
  (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 
A2BC03DC87ED1BD4!)

Revision  Changes    Path
1.1                  app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-1.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-1.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-1.patch?rev=1.1&content-type=text/plain

Index: qemu-2.3.0-CVE-2015-5154-1.patch
===================================================================
>From d2ff85854512574e7209f295e87b0835d5b032c6 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kw...@redhat.com>
Date: Sun, 26 Jul 2015 23:42:53 -0400
Subject: [PATCH] ide: Check array bounds before writing to io_buffer
 (CVE-2015-5154)

If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.

One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.

This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.

Cc: qemu-sta...@nongnu.org
Signed-off-by: Kevin Wolf <kw...@redhat.com>
Reviewed-by: John Snow <js...@redhat.com>
---
 hw/ide/core.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 122e955..44fcc23 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, 
uint32_t val)
     }
 
     p = s->data_ptr;
+    if (p + 2 > s->data_end) {
+        return;
+    }
+
     *(uint16_t *)p = le16_to_cpu(val);
     p += 2;
     s->data_ptr = p;
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
     }
 
     p = s->data_ptr;
+    if (p + 2 > s->data_end) {
+        return 0;
+    }
+
     ret = cpu_to_le16(*(uint16_t *)p);
     p += 2;
     s->data_ptr = p;
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, 
uint32_t val)
     }
 
     p = s->data_ptr;
+    if (p + 4 > s->data_end) {
+        return;
+    }
+
     *(uint32_t *)p = le32_to_cpu(val);
     p += 4;
     s->data_ptr = p;
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
     }
 
     p = s->data_ptr;
+    if (p + 4 > s->data_end) {
+        return 0;
+    }
+
     ret = cpu_to_le32(*(uint32_t *)p);
     p += 4;
     s->data_ptr = p;



1.1                  app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-2.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-2.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-2.patch?rev=1.1&content-type=text/plain

Index: qemu-2.3.0-CVE-2015-5154-2.patch
===================================================================
>From 03441c3a4a42beb25460dd11592539030337d0f8 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kw...@redhat.com>
Date: Sun, 26 Jul 2015 23:42:53 -0400
Subject: [PATCH] ide/atapi: Fix START STOP UNIT command completion

The command must be completed on all code paths. START STOP UNIT with
pwrcnd set should succeed without doing anything.

Signed-off-by: Kevin Wolf <kw...@redhat.com>
Reviewed-by: John Snow <js...@redhat.com>
---
 hw/ide/atapi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
index 950e311..79dd167 100644
--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
 
     if (pwrcnd) {
         /* eject/load only happens for power condition == 0 */
+        ide_atapi_cmd_ok(s);
         return;
     }
 



1.1                  app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-3.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-3.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-3.patch?rev=1.1&content-type=text/plain

Index: qemu-2.3.0-CVE-2015-5154-3.patch
===================================================================
>From cb72cba83021fa42719e73a5249c12096a4d1cfc Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kw...@redhat.com>
Date: Sun, 26 Jul 2015 23:42:53 -0400
Subject: [PATCH] ide: Clear DRQ after handling all expected accesses

This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).

Signed-off-by: Kevin Wolf <kw...@redhat.com>
Reviewed-by: John Snow <js...@redhat.com>
---
 hw/ide/core.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 44fcc23..50449ca 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, 
uint32_t val)
     *(uint16_t *)p = le16_to_cpu(val);
     p += 2;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
 }
 
 uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
     ret = cpu_to_le16(*(uint16_t *)p);
     p += 2;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
     return ret;
 }
 
@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, 
uint32_t val)
     *(uint32_t *)p = le32_to_cpu(val);
     p += 4;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
 }
 
 uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
     ret = cpu_to_le32(*(uint32_t *)p);
     p += 4;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
     return ret;
 }
 



1.1                  app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3214.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3214.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3214.patch?rev=1.1&content-type=text/plain

Index: qemu-2.3.0-CVE-2015-3214.patch
===================================================================
From: Petr Matousek <pmato...@redhat.com>
Date: Wed, 17 Jun 2015 10:46:11 +0000 (+0200)
Subject: i8254: fix out-of-bounds memory access in pit_ioport_read()
X-Git-Tag: v2.4.0-rc0~43^2~9
X-Git-Url: 
http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=d4862a87e31a51de9eb260f25c9e99a75efe3235;hp=9dacf32d2cbd66cbcce7944ebdfd6b2df20e33b8

i8254: fix out-of-bounds memory access in pit_ioport_read()

Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index.

Fix this by ignoring read from the Mode/Command register.

This is CVE-2015-3214.

Reported-by: Matt Tait <mattt...@google.com>
Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
Cc: qemu-sta...@nongnu.org
Signed-off-by: Petr Matousek <pmato...@redhat.com>
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
---

diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
index 3450c98..9b65a33 100644
--- a/hw/timer/i8254.c
+++ b/hw/timer/i8254.c
@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
     PITChannelState *s;
 
     addr &= 3;
+
+    if (addr == 3) {
+        /* Mode/Command register is write only, read is ignored */
+        return 0;
+    }
+
     s = &pit->channels[addr];
     if (s->status_latched) {
         s->status_latched = 0;




Reply via email to