Commit 7e224e4a authored by Leonardo Arena's avatar Leonardo Arena

main/qemu: security fix (CVE-2015-8550, xsa-155). Fixes #5160

(cherry picked from commit 561bee69)
parent 88cebe5b
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=qemu
pkgver=2.4.1
pkgrel=3
pkgrel=4
pkgdesc="QEMU is a generic machine emulator and virtualizer"
url="http://qemu.org/"
arch="all"
......@@ -118,10 +118,13 @@ source="http://wiki.qemu-project.org/download/qemu-$pkgver.tar.bz2
musl-F_SHLCK-and-F_EXLCK.patch
fix-sigevent-and-sigval_t.patch
xsa155-qemu-qdisk-double-access.patch
xsa155-qemu-xenfb.patch
qemu-guest-agent.confd
qemu-guest-agent.initd
80-kvm.rules"
80-kvm.rules
"
prepare() {
cd "$srcdir"/$pkgname-$pkgver
......@@ -325,6 +328,8 @@ md5sums="a895e93ec1dafc34bc64ed676f0d55a6 qemu-2.4.1.tar.bz2
d364208c4847ad2baeb237900befecd1 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
bc5f2e41ed3b6d6d30b672adab82e3e1 musl-F_SHLCK-and-F_EXLCK.patch
9afbd6c9586229ce64275f012d665e2a fix-sigevent-and-sigval_t.patch
6240b501f6f8a2b98e993ea471aa3e96 xsa155-qemu-qdisk-double-access.patch
fad7b109e196f888be9d8a8aaf38452f xsa155-qemu-xenfb.patch
1663bc6977f6886a58394155b1bf3676 qemu-guest-agent.confd
4cb15a1c3de2691dd65842f2325dfe22 qemu-guest-agent.initd
66660f143235201249dc0648b39b86ee 80-kvm.rules"
......@@ -333,6 +338,8 @@ af35304b165622a53f7557b59ffd8da5030f5fd444e669c862f9410131f3b987 0001-elfload-l
6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40 musl-F_SHLCK-and-F_EXLCK.patch
9abdf3410dea742cac3552363950c8a7fbcec8dd2bfd68e3c417a284f4e702f5 fix-sigevent-and-sigval_t.patch
044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3 xsa155-qemu-qdisk-double-access.patch
e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6 xsa155-qemu-xenfb.patch
d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298 qemu-guest-agent.confd
91f5ba66b56bb9a3e0d134de3ea756794d5f09fe8a14a4b0d3d95f69a9245c60 qemu-guest-agent.initd
37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84 80-kvm.rules"
......@@ -341,6 +348,8 @@ sha512sums="fde32b71a50d888c1055e61f4e6dfc45bb97e8e9ebee490c545965fbdcbd5ffd859f
ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
5de10f7e8abae16d1d7521e5ca1bfb62a8f295b324bea84f122f882b7b9354c21e5a00b20a1c5484c1b737b937e53c4ca6979e55705522f0779a5669725369f5 musl-F_SHLCK-and-F_EXLCK.patch
e3f006c28318669356cd5b778f26774f06b0a40a4ac852573379df63efcc8276869958faec16797a38bf96c6061dfc040309e462d8559984f67eaf4af701ca1a fix-sigevent-and-sigval_t.patch
7434d7c770c4fb0e3d5fd73798bb60dd07bfc985453696f7167a043cd353ada1bb5471766821401fc20be5978ccb449bbcef40649ffb19041e907e2f49481b2b xsa155-qemu-qdisk-double-access.patch
206bd4bbdb2c55afd2272221892da4ea9fb44cdd005a47a1904d061222bcf51f12c8946b9fb11a28d5e589d41a5f739d4ca07c05c1784a70a5465edf44777775 xsa155-qemu-xenfb.patch
d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd
69457d757909b990f4fdfaef621696e5a5d287b42bc58e553cb52d85191788a269e91c0475bfb7223d3a9120c19cdf4d749b4d54013a644f33d0551517cdf094 qemu-guest-agent.initd
9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules"
xen/blkif: Avoid double access to src->nr_segments
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
index 711b692..9e71e00 100644
--- a/hw/block/xen_blkif.h
+++ b/hw/block/xen_blkif.h
@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
xenfb: avoid reading twice the same fields from the shared page
Reading twice the same field could give the guest an attack of
opportunity. In the case of event->type, gcc could compile the switch
statement into a jump table, effectively ending up reading the type
field multiple times.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
index 5e324ef..4e2a27a 100644
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque)
static void xenfb_handle_events(struct XenFB *xenfb)
{
- uint32_t prod, cons;
+ uint32_t prod, cons, out_cons;
struct xenfb_page *page = xenfb->c.page;
prod = page->out_prod;
- if (prod == page->out_cons)
+ out_cons = page->out_cons;
+ if (prod == out_cons)
return;
xen_rmb(); /* ensure we see ring contents up to prod */
- for (cons = page->out_cons; cons != prod; cons++) {
+ for (cons = out_cons; cons != prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+ uint8_t type = event->type;
int x, y, w, h;
- switch (event->type) {
+ switch (type) {
case XENFB_TYPE_UPDATE:
if (xenfb->up_count == UP_QUEUE)
xenfb->up_fullscreen = 1;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment