aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/qemu/patches/qemu_atapi.patch91
-rw-r--r--system/qemu/patches/qemu_pcnet.patch (renamed from system/qemu/qemu_pcnet.patch)2
-rw-r--r--system/qemu/patches/qemu_venom.patch (renamed from system/qemu/qemu_venom.patch)2
-rw-r--r--system/qemu/qemu.SlackBuild10
4 files changed, 100 insertions, 5 deletions
diff --git a/system/qemu/patches/qemu_atapi.patch b/system/qemu/patches/qemu_atapi.patch
new file mode 100644
index 0000000000000..f977b4f2816c4
--- /dev/null
+++ b/system/qemu/patches/qemu_atapi.patch
@@ -0,0 +1,91 @@
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 950e311..79dd167 100644 (file)
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
+
+ if (pwrcnd) {
+ /* eject/load only happens for power condition == 0 */
++ ide_atapi_cmd_ok(s);
+ return;
+ }
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 122e955..50449ca 100644 (file)
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -2021,11 +2021,17 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
+ }
+
+ p = s->data_ptr;
++ if (p + 2 > s->data_end) {
++ return;
++ }
++
+ *(uint16_t *)p = le16_to_cpu(val);
+ p += 2;
+ s->data_ptr = p;
+- if (p >= s->data_end)
++ if (p >= s->data_end) {
++ s->status &= ~DRQ_STAT;
+ s->end_transfer_func(s);
++ }
+ }
+
+ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+@@ -2042,11 +2048,17 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+ }
+
+ p = s->data_ptr;
++ if (p + 2 > s->data_end) {
++ return 0;
++ }
++
+ ret = cpu_to_le16(*(uint16_t *)p);
+ p += 2;
+ s->data_ptr = p;
+- if (p >= s->data_end)
++ if (p >= s->data_end) {
++ s->status &= ~DRQ_STAT;
+ s->end_transfer_func(s);
++ }
+ return ret;
+ }
+
+@@ -2063,11 +2075,17 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
+ }
+
+ p = s->data_ptr;
++ if (p + 4 > s->data_end) {
++ return;
++ }
++
+ *(uint32_t *)p = le32_to_cpu(val);
+ p += 4;
+ s->data_ptr = p;
+- if (p >= s->data_end)
++ if (p >= s->data_end) {
++ s->status &= ~DRQ_STAT;
+ s->end_transfer_func(s);
++ }
+ }
+
+ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+@@ -2084,11 +2102,17 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+ }
+
+ p = s->data_ptr;
++ if (p + 4 > s->data_end) {
++ return 0;
++ }
++
+ ret = cpu_to_le32(*(uint32_t *)p);
+ p += 4;
+ s->data_ptr = p;
+- if (p >= s->data_end)
++ if (p >= s->data_end) {
++ s->status &= ~DRQ_STAT;
+ s->end_transfer_func(s);
++ }
+ return ret;
+ }
diff --git a/system/qemu/qemu_pcnet.patch b/system/qemu/patches/qemu_pcnet.patch
index 5fc27c6069b0b..25c89cd90bc37 100644
--- a/system/qemu/qemu_pcnet.patch
+++ b/system/qemu/patches/qemu_pcnet.patch
@@ -15,4 +15,4 @@ index bdfd38f..68b9981 100644 (file)
+
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
- s->xmit_pos += bcnt; \ No newline at end of file
+ s->xmit_pos += bcnt;
diff --git a/system/qemu/qemu_venom.patch b/system/qemu/patches/qemu_venom.patch
index 00439e58282cb..0bbd18c223a9f 100644
--- a/system/qemu/qemu_venom.patch
+++ b/system/qemu/patches/qemu_venom.patch
@@ -55,4 +55,4 @@ index f72a392..d8a8edd 100644 (file)
+ fdctrl->fifo[pos] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
- * and will be able to treat the command \ No newline at end of file
+ * and will be able to treat the command
diff --git a/system/qemu/qemu.SlackBuild b/system/qemu/qemu.SlackBuild
index 1da81e8417361..2d563cf528aeb 100644
--- a/system/qemu/qemu.SlackBuild
+++ b/system/qemu/qemu.SlackBuild
@@ -41,10 +41,11 @@
# 1.8 27-APR-2015 updated to version 2.3.0
# 1.9 14-MAY-2015 patched for "Venom" CVE-2015-3456 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
# 2.0 11-JUL-2015 patched for Heap-based buffer overflow in the PCNET controller CVE-2015-3209 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=9f7c594c006289ad41169b854d70f5da6e400a2a
+# 2.1 27-JUL-2015 patched for heap overflow flaw while processing certain ATAPI commands CVE-2015-5154 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e40db4c6d391419c0039fe274c74df32a6ca1a28;hp=f793d97e454a56d17e404004867985622ca1a63b
PRGNAM=qemu
VERSION=${VERSION:-2.3.0}
-BUILD=${BUILD:-3}
+BUILD=${BUILD:-4}
TAG=${TAG:-_SBo}
KVMGROUP=${KVMGROUP:-users}
@@ -139,10 +140,13 @@ if [ "$LIBUSB" = "yes" ]; then
fi
# patch Venom bug CVE-2015-3456
-patch -p1 < $CWD/qemu_venom.patch
+patch -p1 < $CWD/patches/qemu_venom.patch
# patch PCNET controller bug CVE-2015-3209
-patch -p1 < $CWD/qemu_pcnet.patch
+patch -p1 < $CWD/patches/qemu_pcnet.patch
+
+# patch ATAPI heap overflow bug CVE-2015-5154
+patch -p1 < $CWD/patches/qemu_atapi.patch
PKG_CONFIG_PATH+="${USBSTATIC}" \
CFLAGS="$SLKCFLAGS" \