diff options
-rw-r--r-- | system/qemu/patches/qemu_atapi.patch | 91 | ||||
-rw-r--r-- | system/qemu/patches/qemu_pcnet.patch (renamed from system/qemu/qemu_pcnet.patch) | 2 | ||||
-rw-r--r-- | system/qemu/patches/qemu_venom.patch (renamed from system/qemu/qemu_venom.patch) | 2 | ||||
-rw-r--r-- | system/qemu/qemu.SlackBuild | 10 |
4 files changed, 100 insertions, 5 deletions
diff --git a/system/qemu/patches/qemu_atapi.patch b/system/qemu/patches/qemu_atapi.patch new file mode 100644 index 0000000000000..f977b4f2816c4 --- /dev/null +++ b/system/qemu/patches/qemu_atapi.patch @@ -0,0 +1,91 @@ +diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c +index 950e311..79dd167 100644 (file) +--- a/hw/ide/atapi.c ++++ b/hw/ide/atapi.c +@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) + + if (pwrcnd) { + /* eject/load only happens for power condition == 0 */ ++ ide_atapi_cmd_ok(s); + return; + } + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 122e955..50449ca 100644 (file) +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -2021,11 +2021,17 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) + } + + p = s->data_ptr; ++ if (p + 2 > s->data_end) { ++ return; ++ } ++ + *(uint16_t *)p = le16_to_cpu(val); + p += 2; + s->data_ptr = p; +- if (p >= s->data_end) ++ if (p >= s->data_end) { ++ s->status &= ~DRQ_STAT; + s->end_transfer_func(s); ++ } + } + + uint32_t ide_data_readw(void *opaque, uint32_t addr) +@@ -2042,11 +2048,17 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) + } + + p = s->data_ptr; ++ if (p + 2 > s->data_end) { ++ return 0; ++ } ++ + ret = cpu_to_le16(*(uint16_t *)p); + p += 2; + s->data_ptr = p; +- if (p >= s->data_end) ++ if (p >= s->data_end) { ++ s->status &= ~DRQ_STAT; + s->end_transfer_func(s); ++ } + return ret; + } + +@@ -2063,11 +2075,17 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) + } + + p = s->data_ptr; ++ if (p + 4 > s->data_end) { ++ return; ++ } ++ + *(uint32_t *)p = le32_to_cpu(val); + p += 4; + s->data_ptr = p; +- if (p >= s->data_end) ++ if (p >= s->data_end) { ++ s->status &= ~DRQ_STAT; + s->end_transfer_func(s); ++ } + } + + uint32_t ide_data_readl(void *opaque, uint32_t addr) +@@ -2084,11 +2102,17 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) + } + + p = s->data_ptr; ++ if (p + 4 > s->data_end) { ++ return 0; ++ } ++ + ret = cpu_to_le32(*(uint32_t *)p); + p += 4; + s->data_ptr = p; +- if (p >= s->data_end) ++ if (p >= s->data_end) { ++ s->status &= ~DRQ_STAT; + s->end_transfer_func(s); ++ } + return ret; + } diff --git a/system/qemu/qemu_pcnet.patch b/system/qemu/patches/qemu_pcnet.patch index 5fc27c6069b0b..25c89cd90bc37 100644 --- a/system/qemu/qemu_pcnet.patch +++ b/system/qemu/patches/qemu_pcnet.patch @@ -15,4 +15,4 @@ index bdfd38f..68b9981 100644 (file) + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt;
\ No newline at end of file + s->xmit_pos += bcnt; diff --git a/system/qemu/qemu_venom.patch b/system/qemu/patches/qemu_venom.patch index 00439e58282cb..0bbd18c223a9f 100644 --- a/system/qemu/qemu_venom.patch +++ b/system/qemu/patches/qemu_venom.patch @@ -55,4 +55,4 @@ index f72a392..d8a8edd 100644 (file) + fdctrl->fifo[pos] = value; if (fdctrl->data_pos == fdctrl->data_len) { /* We now have all parameters - * and will be able to treat the command
\ No newline at end of file + * and will be able to treat the command diff --git a/system/qemu/qemu.SlackBuild b/system/qemu/qemu.SlackBuild index 1da81e8417361..2d563cf528aeb 100644 --- a/system/qemu/qemu.SlackBuild +++ b/system/qemu/qemu.SlackBuild @@ -41,10 +41,11 @@ # 1.8 27-APR-2015 updated to version 2.3.0 # 1.9 14-MAY-2015 patched for "Venom" CVE-2015-3456 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c # 2.0 11-JUL-2015 patched for Heap-based buffer overflow in the PCNET controller CVE-2015-3209 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=9f7c594c006289ad41169b854d70f5da6e400a2a +# 2.1 27-JUL-2015 patched for heap overflow flaw while processing certain ATAPI commands CVE-2015-5154 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e40db4c6d391419c0039fe274c74df32a6ca1a28;hp=f793d97e454a56d17e404004867985622ca1a63b PRGNAM=qemu VERSION=${VERSION:-2.3.0} -BUILD=${BUILD:-3} +BUILD=${BUILD:-4} TAG=${TAG:-_SBo} KVMGROUP=${KVMGROUP:-users} @@ -139,10 +140,13 @@ if [ "$LIBUSB" = "yes" ]; then fi # patch Venom bug CVE-2015-3456 -patch -p1 < $CWD/qemu_venom.patch +patch -p1 < $CWD/patches/qemu_venom.patch # patch PCNET controller bug CVE-2015-3209 -patch -p1 < $CWD/qemu_pcnet.patch +patch -p1 < $CWD/patches/qemu_pcnet.patch + +# patch ATAPI heap overflow bug CVE-2015-5154 +patch -p1 < $CWD/patches/qemu_atapi.patch PKG_CONFIG_PATH+="${USBSTATIC}" \ CFLAGS="$SLKCFLAGS" \ |