Univention Bugzilla – Attachment 6912 Details for
Bug 38173
xen: Multiple issues (3.2)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2015-3456.patch from debian package version 4.1.4-3+deb7u6
CVE-2015-3456.patch (text/plain), 2.53 KB, created by
Arvid Requate
on 2015-05-19 15:46 CEST
(
hide
)
Description:
CVE-2015-3456.patch from debian package version 4.1.4-3+deb7u6
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2015-05-19 15:46 CEST
Size:
2.53 KB
patch
obsolete
>From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 >From: Petr Matousek <pmatouse@redhat.com> >Date: Wed, 6 May 2015 09:48:59 +0200 >Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer > >During processing of certain commands such as FD_CMD_READ_ID and >FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could >get out of bounds leading to memory corruption with values coming >from the guest. > >Fix this by making sure that the index is always bounded by the >allocated memory. > >This is CVE-2015-3456. > >Signed-off-by: Petr Matousek <pmatouse@redhat.com> >Reviewed-by: John Snow <jsnow@redhat.com> >[Backport to 4.1: jmm] > >--- xen-4.1.4.orig/qemu/hw/fdc.c >+++ xen-4.1.4/qemu/hw/fdc.c >@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl > { > fdrive_t *cur_drv; > uint32_t retval = 0; >- int pos; >+ uint32_t pos; > > cur_drv = get_cur_drv(fdctrl); > fdctrl->dsr &= ~FD_DSR_PWRDOWN; >@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl > return 0; > } > pos = fdctrl->data_pos; >+ pos %= FD_SECTOR_LEN; > if (fdctrl->msr & FD_MSR_NONDMA) { >- pos %= FD_SECTOR_LEN; > if (pos == 0) { > if (fdctrl->data_pos != 0) > if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { >@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl > static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) > { > fdrive_t *cur_drv = get_cur_drv(fdctrl); >+ uint32_t pos; > >- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { >+ pos = fdctrl->data_pos - 1; >+ pos %= FD_SECTOR_LEN; >+ if (fdctrl->fifo[pos] & 0x80) { > /* Command parameters done */ >- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { >+ if (fdctrl->fifo[pos] & 0x40) { > fdctrl->fifo[0] = fdctrl->fifo[1]; > fdctrl->fifo[2] = 0; > fdctrl->fifo[3] = 0; >@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; > static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) > { > fdrive_t *cur_drv; >- int pos; >+ uint32_t pos; > > /* Reset mode */ > if (!(fdctrl->dor & FD_DOR_nRESET)) { >@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t > } > > FLOPPY_DPRINTF("%s: %02x\n", __func__, value); >- fdctrl->fifo[fdctrl->data_pos++] = value; >+ pos = fdctrl->data_pos++; >+ pos %= FD_SECTOR_LEN; >+ fdctrl->fifo[pos] = value; > if (fdctrl->data_pos == fdctrl->data_len) { > /* We now have all parameters > * and will be able to treat the command
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
Actions:
View
|
Diff
Attachments on
bug 38173
: 6912