head 1.2; access; symbols pkgsrc-2020Q2:1.1.0.42 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.22 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.44 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.40 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.38 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.36 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.34 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.32 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.30 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.28 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.26 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.24 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.20 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.18 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.16 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.14 pkgsrc-2016Q3-base:1.1 pkgsrc-2016Q2:1.1.0.12 pkgsrc-2016Q2-base:1.1 pkgsrc-2016Q1:1.1.0.10 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.8 pkgsrc-2015Q4-base:1.1 pkgsrc-2015Q3:1.1.0.6 pkgsrc-2015Q3-base:1.1 pkgsrc-2015Q2:1.1.0.4 pkgsrc-2015Q2-base:1.1 pkgsrc-2015Q1:1.1.0.2; locks; strict; comment @# @; 1.2 date 2020.08.19.10.39.24; author bouyer; state dead; branches; next 1.1; commitid DGAMglRf0Jde6FkC; 1.1 date 2015.06.05.18.41.18; author khorben; state Exp; branches 1.1.2.1; next ; commitid TXqV62tK5JskUgoy; 1.1.2.1 date 2015.06.05.18.41.18; author spz; state dead; branches; next 1.1.2.2; commitid ZcpnUKWbPbaTvfpy; 1.1.2.2 date 2015.06.13.09.13.56; author spz; state Exp; branches; next ; commitid ZcpnUKWbPbaTvfpy; desc @@ 1.2 log @Remove xenkernel and xentools packages older than 4.11. They're not maintained anymore upstream, and don't build on supported NetBSD releases. @ text @$NetBSD: patch-CVE-2015-3456,v 1.1 2015/06/05 18:41:18 khorben Exp $ fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. Signed-off-by: Petr Matousek Reviewed-by: John Snow --- qemu-xen/hw/fdc.c.orig +++ qemu-xen/hw/fdc.c @@@@ -1497,7 +1497,7 @@@@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) { FDrive *cur_drv; uint32_t retval = 0; - int pos; + uint32_t pos; cur_drv = get_cur_drv(fdctrl); fdctrl->dsr &= ~FD_DSR_PWRDOWN; @@@@ -1506,8 +1506,8 @@@@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) return 0; } pos = fdctrl->data_pos; + pos %= FD_SECTOR_LEN; if (fdctrl->msr & FD_MSR_NONDMA) { - pos %= FD_SECTOR_LEN; if (pos == 0) { if (fdctrl->data_pos != 0) if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { @@@@ -1852,10 +1852,13 @@@@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) { FDrive *cur_drv = get_cur_drv(fdctrl); + uint32_t pos; - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { + pos = fdctrl->data_pos - 1; + pos %= FD_SECTOR_LEN; + if (fdctrl->fifo[pos] & 0x80) { /* Command parameters done */ - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + if (fdctrl->fifo[pos] & 0x40) { fdctrl->fifo[0] = fdctrl->fifo[1]; fdctrl->fifo[2] = 0; fdctrl->fifo[3] = 0; @@@@ -1955,7 +1958,7 @@@@ static uint8_t command_to_handler[256]; static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) { FDrive *cur_drv; - int pos; + uint32_t pos; /* Reset mode */ if (!(fdctrl->dor & FD_DOR_nRESET)) { @@@@ -2004,7 +2007,9 @@@@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) } FLOPPY_DPRINTF("%s: %02x\n", __func__, value); - fdctrl->fifo[fdctrl->data_pos++] = value; + pos = fdctrl->data_pos++; + pos %= FD_SECTOR_LEN; + fdctrl->fifo[pos] = value; if (fdctrl->data_pos == fdctrl->data_len) { /* We now have all parameters * and will be able to treat the command --- qemu-xen-traditional/hw/fdc.c.orig +++ qemu-xen-traditional/hw/fdc.c @@@@ -1318,7 +1318,7 @@@@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) { fdrive_t *cur_drv; uint32_t retval = 0; - int pos; + uint32_t pos; cur_drv = get_cur_drv(fdctrl); fdctrl->dsr &= ~FD_DSR_PWRDOWN; @@@@ -1327,8 +1327,8 @@@@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) return 0; } pos = fdctrl->data_pos; + pos %= FD_SECTOR_LEN; if (fdctrl->msr & FD_MSR_NONDMA) { - pos %= FD_SECTOR_LEN; if (pos == 0) { if (fdctrl->data_pos != 0) if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { @@@@ -1673,10 +1673,13 @@@@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction) static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) { fdrive_t *cur_drv = get_cur_drv(fdctrl); + uint32_t pos; - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { + pos = fdctrl->data_pos - 1; + pos %= FD_SECTOR_LEN; + if (fdctrl->fifo[pos] & 0x80) { /* Command parameters done */ - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + if (fdctrl->fifo[pos] & 0x40) { fdctrl->fifo[0] = fdctrl->fifo[1]; fdctrl->fifo[2] = 0; fdctrl->fifo[3] = 0; @@@@ -1771,7 +1774,7 @@@@ static uint8_t command_to_handler[256]; static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) { fdrive_t *cur_drv; - int pos; + uint32_t pos; /* Reset mode */ if (!(fdctrl->dor & FD_DOR_nRESET)) { @@@@ -1817,7 +1820,9 @@@@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) } FLOPPY_DPRINTF("%s: %02x\n", __func__, value); - fdctrl->fifo[fdctrl->data_pos++] = value; + pos = fdctrl->data_pos++; + pos %= FD_SECTOR_LEN; + fdctrl->fifo[pos] = value; if (fdctrl->data_pos == fdctrl->data_len) { /* We now have all parameters * and will be able to treat the command @ 1.1 log @Apply fixes from upstream for XSA-133 XXX pull-ups @ text @d1 1 a1 1 $NetBSD: patch-CVE-2015-3456,v 1.1 2015/06/05 18:18:41 khorben Exp $ @ 1.1.2.1 log @file patch-CVE-2015-3456 was added on branch pkgsrc-2015Q1 on 2015-06-13 09:13:56 +0000 @ text @d1 131 @ 1.1.2.2 log @Pullup ticket #4746 - requested by khorben sysutils/xentools42: security patch Revisions pulled up: - sysutils/xentools42/Makefile 1.28 - sysutils/xentools42/distinfo 1.17 - sysutils/xentools42/patches/patch-CVE-2015-3456 1.1 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: khorben Date: Fri Jun 5 18:41:18 UTC 2015 Modified Files: pkgsrc/sysutils/xentools42: Makefile distinfo Added Files: pkgsrc/sysutils/xentools42/patches: patch-CVE-2015-3456 Log Message: Apply fixes from upstream for XSA-133 XXX pull-ups To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 pkgsrc/sysutils/xentools42/Makefile cvs rdiff -u -r1.16 -r1.17 pkgsrc/sysutils/xentools42/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools42/patches/patch-CVE-2015-3456 @ text @a0 131 $NetBSD$ fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. Signed-off-by: Petr Matousek Reviewed-by: John Snow --- qemu-xen/hw/fdc.c.orig +++ qemu-xen/hw/fdc.c @@@@ -1497,7 +1497,7 @@@@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) { FDrive *cur_drv; uint32_t retval = 0; - int pos; + uint32_t pos; cur_drv = get_cur_drv(fdctrl); fdctrl->dsr &= ~FD_DSR_PWRDOWN; @@@@ -1506,8 +1506,8 @@@@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) return 0; } pos = fdctrl->data_pos; + pos %= FD_SECTOR_LEN; if (fdctrl->msr & FD_MSR_NONDMA) { - pos %= FD_SECTOR_LEN; if (pos == 0) { if (fdctrl->data_pos != 0) if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { @@@@ -1852,10 +1852,13 @@@@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) { FDrive *cur_drv = get_cur_drv(fdctrl); + uint32_t pos; - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { + pos = fdctrl->data_pos - 1; + pos %= FD_SECTOR_LEN; + if (fdctrl->fifo[pos] & 0x80) { /* Command parameters done */ - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + if (fdctrl->fifo[pos] & 0x40) { fdctrl->fifo[0] = fdctrl->fifo[1]; fdctrl->fifo[2] = 0; fdctrl->fifo[3] = 0; @@@@ -1955,7 +1958,7 @@@@ static uint8_t command_to_handler[256]; static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) { FDrive *cur_drv; - int pos; + uint32_t pos; /* Reset mode */ if (!(fdctrl->dor & FD_DOR_nRESET)) { @@@@ -2004,7 +2007,9 @@@@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) } FLOPPY_DPRINTF("%s: %02x\n", __func__, value); - fdctrl->fifo[fdctrl->data_pos++] = value; + pos = fdctrl->data_pos++; + pos %= FD_SECTOR_LEN; + fdctrl->fifo[pos] = value; if (fdctrl->data_pos == fdctrl->data_len) { /* We now have all parameters * and will be able to treat the command --- qemu-xen-traditional/hw/fdc.c.orig +++ qemu-xen-traditional/hw/fdc.c @@@@ -1318,7 +1318,7 @@@@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) { fdrive_t *cur_drv; uint32_t retval = 0; - int pos; + uint32_t pos; cur_drv = get_cur_drv(fdctrl); fdctrl->dsr &= ~FD_DSR_PWRDOWN; @@@@ -1327,8 +1327,8 @@@@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) return 0; } pos = fdctrl->data_pos; + pos %= FD_SECTOR_LEN; if (fdctrl->msr & FD_MSR_NONDMA) { - pos %= FD_SECTOR_LEN; if (pos == 0) { if (fdctrl->data_pos != 0) if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { @@@@ -1673,10 +1673,13 @@@@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction) static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) { fdrive_t *cur_drv = get_cur_drv(fdctrl); + uint32_t pos; - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { + pos = fdctrl->data_pos - 1; + pos %= FD_SECTOR_LEN; + if (fdctrl->fifo[pos] & 0x80) { /* Command parameters done */ - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + if (fdctrl->fifo[pos] & 0x40) { fdctrl->fifo[0] = fdctrl->fifo[1]; fdctrl->fifo[2] = 0; fdctrl->fifo[3] = 0; @@@@ -1771,7 +1774,7 @@@@ static uint8_t command_to_handler[256]; static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) { fdrive_t *cur_drv; - int pos; + uint32_t pos; /* Reset mode */ if (!(fdctrl->dor & FD_DOR_nRESET)) { @@@@ -1817,7 +1820,9 @@@@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) } FLOPPY_DPRINTF("%s: %02x\n", __func__, value); - fdctrl->fifo[fdctrl->data_pos++] = value; + pos = fdctrl->data_pos++; + pos %= FD_SECTOR_LEN; + fdctrl->fifo[pos] = value; if (fdctrl->data_pos == fdctrl->data_len) { /* We now have all parameters * and will be able to treat the command @