![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package qemu checked in at Wed Jun 20 11:57:06 CEST 2007. -------- --- qemu/qemu.changes 2007-06-14 18:53:56.000000000 +0200 +++ /mounts/work_src_done/STABLE/qemu/qemu.changes 2007-06-20 10:59:38.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Jun 20 10:59:11 CEST 2007 - uli@suse.de + +- added secfixes (bug #252519) + +------------------------------------------------------------------- New: ---- bug-252519_goo-qemu-sec-0.9.0.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.n25639/_old 2007-06-20 11:51:37.000000000 +0200 +++ /var/tmp/diff_new_pack.n25639/_new 2007-06-20 11:51:37.000000000 +0200 @@ -17,7 +17,7 @@ Group: System/Emulators/Other Summary: Universal CPU emulator Version: 0.9.0 -Release: 36 +Release: 37 Source: %name-%version.tar.bz2 #Patch400: qemu-0.7.0-gcc4-dot-syms.patch #Patch401: qemu-0.8.0-gcc4-hacks.patch @@ -56,6 +56,7 @@ Patch43: qemu-0.9.0-futex.patch Patch44: qemu-0.9.0-robust_list.patch Patch45: qemu-0.9.0-wine.patch +Patch46: bug-252519_goo-qemu-sec-0.9.0.diff Source200: kvm_bios.bin Source201: zx-rom.bin Source202: COPYING.zx-rom @@ -152,6 +153,7 @@ %patch43 -p1 %patch44 -p1 %patch45 -p1 +%patch46 -p1 cp -p %SOURCE200 pc-bios/ cp -p %SOURCE202 . cd gcc-3.3.5 @@ -330,6 +332,8 @@ %endif %changelog +* Wed Jun 20 2007 - uli@suse.de +- added secfixes (bug #252519) * Thu Jun 14 2007 - agraf@suse.de - made wine work (set FS register to 0 on init) - suppressed robust_list warnings ++++++ bug-252519_goo-qemu-sec-0.9.0.diff ++++++ diff -rpu qemu-0.9.0.orig/block.c qemu-0.9.0/block.c --- qemu-0.9.0.orig/block.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/block.c 2007-02-20 22:41:03.000000000 +0000 @@ -539,13 +539,22 @@ int bdrv_write(BlockDriverState *bs, int return -ENOMEDIUM; if (bs->read_only) return -EACCES; + if (sector_num < 0) + return -EINVAL; if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { memcpy(bs->boot_sector_data, buf, 512); } if (drv->bdrv_pwrite) { int ret, len; + unsigned ns; + + ns = sector_num * 512; len = nb_sectors * 512; - ret = drv->bdrv_pwrite(bs, sector_num * 512, buf, len); + + if (ns < 0) + return -EINVAL; + + ret = drv->bdrv_pwrite(bs, ns, buf, len); if (ret < 0) return ret; else if (ret != len) diff -rpu qemu-0.9.0.orig/hw/cirrus_vga.c qemu-0.9.0/hw/cirrus_vga.c --- qemu-0.9.0.orig/hw/cirrus_vga.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/hw/cirrus_vga.c 2007-02-21 17:00:09.585042632 +0000 @@ -217,6 +217,20 @@ #define CIRRUS_HOOK_NOT_HANDLED 0 #define CIRRUS_HOOK_HANDLED 1 +#define BLTUNSAFE(s) \ + ( \ + ( /* check dst is within bounds */ \ + (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \ + + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \ + (s)->vram_size \ + ) || \ + ( /* check src is within bounds */ \ + (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \ + + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \ + (s)->vram_size \ + ) \ + ) + struct CirrusVGAState; typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s, uint8_t * dst, const uint8_t * src, @@ -589,7 +603,7 @@ static void cirrus_invalidate_region(Cir for (y = 0; y < lines; y++) { off_cur = off_begin; - off_cur_end = off_cur + bytesperline; + off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask; off_cur &= TARGET_PAGE_MASK; while (off_cur < off_cur_end) { cpu_physical_memory_set_dirty(s->vram_offset + off_cur); @@ -604,7 +618,11 @@ static int cirrus_bitblt_common_patternc { uint8_t *dst; - dst = s->vram_ptr + s->cirrus_blt_dstaddr; + dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + + if (BLTUNSAFE(s)) + return 0; + (*s->cirrus_rop) (s, dst, src, s->cirrus_blt_dstpitch, 0, s->cirrus_blt_width, s->cirrus_blt_height); @@ -620,8 +638,11 @@ static int cirrus_bitblt_solidfill(Cirru { cirrus_fill_t rop_func; + if (BLTUNSAFE(s)) + return 0; + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; - rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr, + rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), s->cirrus_blt_dstpitch, s->cirrus_blt_width, s->cirrus_blt_height); cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, @@ -640,8 +661,8 @@ static int cirrus_bitblt_solidfill(Cirru static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) { return cirrus_bitblt_common_patterncopy(s, - s->vram_ptr + - (s->cirrus_blt_srcaddr & ~7)); + s->vram_ptr + ((s->cirrus_blt_srcaddr & ~7) & + s->cirrus_addr_mask)); } static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) @@ -691,8 +712,10 @@ static void cirrus_do_copy(CirrusVGAStat if (notify) vga_hw_update(); - (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr, - s->vram_ptr + s->cirrus_blt_srcaddr, + (*s->cirrus_rop) (s, s->vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vram_ptr + + (s->cirrus_blt_srcaddr & s->cirrus_addr_mask), s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height); @@ -718,8 +741,14 @@ static int cirrus_bitblt_videotovideo_co s->cirrus_blt_srcaddr - s->start_addr, s->cirrus_blt_width, s->cirrus_blt_height); } else { - (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr, - s->vram_ptr + s->cirrus_blt_srcaddr, + + if (BLTUNSAFE(s)) + return 0; + + (*s->cirrus_rop) (s, s->vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vram_ptr + + (s->cirrus_blt_srcaddr & s->cirrus_addr_mask), s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height); @@ -751,8 +780,9 @@ static void cirrus_bitblt_cputovideo_nex } else { /* at least one scan line */ do { - (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr, - s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); + (*s->cirrus_rop)(s, s->vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0, s->cirrus_blt_width, 1); s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch; @@ -1857,7 +1887,7 @@ static void cirrus_mem_writeb_mode4and5_ unsigned val = mem_value; uint8_t *dst; - dst = s->vram_ptr + offset; + dst = s->vram_ptr + (offset &= s->cirrus_addr_mask); for (x = 0; x < 8; x++) { if (val & 0x80) { *dst = s->cirrus_shadow_gr1; @@ -1880,7 +1910,7 @@ static void cirrus_mem_writeb_mode4and5_ unsigned val = mem_value; uint8_t *dst; - dst = s->vram_ptr + offset; + dst = s->vram_ptr + (offset &= s->cirrus_addr_mask); for (x = 0; x < 8; x++) { if (val & 0x80) { *dst = s->cirrus_shadow_gr1; diff -rpu qemu-0.9.0.orig/hw/cirrus_vga_rop.h qemu-0.9.0/hw/cirrus_vga_rop.h --- qemu-0.9.0.orig/hw/cirrus_vga_rop.h 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/hw/cirrus_vga_rop.h 2007-02-21 01:45:32.000000000 +0000 @@ -31,6 +31,12 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C int x,y; dstpitch -= bltwidth; srcpitch -= bltwidth; + + if (dstpitch < 0 || srcpitch < 0) { + /* is 0 valid? srcpitch == 0 could be useful */ + return; + } + for (y = 0; y < bltheight; y++) { for (x = 0; x < bltwidth; x++) { ROP_OP(*dst, *src); diff -rpu qemu-0.9.0.orig/hw/dma.c qemu-0.9.0/hw/dma.c --- qemu-0.9.0.orig/hw/dma.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/hw/dma.c 2007-02-20 21:53:41.000000000 +0000 @@ -340,9 +340,11 @@ static void channel_run (int ncont, int #endif r = dma_controllers[ncont].regs + ichan; - n = r->transfer_handler (r->opaque, ichan + (ncont << 2), - r->now[COUNT], (r->base[COUNT] + 1) << ncont); - r->now[COUNT] = n; + if (r->transfer_handler) { + n = r->transfer_handler (r->opaque, ichan + (ncont << 2), + r->now[COUNT], (r->base[COUNT] + 1) << ncont); + r->now[COUNT] = n; + } ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont); } diff -rpu qemu-0.9.0.orig/hw/fdc.c qemu-0.9.0/hw/fdc.c --- qemu-0.9.0.orig/hw/fdc.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/hw/fdc.c 2007-02-20 23:41:01.000000000 +0000 @@ -1100,8 +1100,13 @@ static uint32_t fdctrl_read_data (fdctrl len = fdctrl->data_len - fdctrl->data_pos; if (len > FD_SECTOR_LEN) len = FD_SECTOR_LEN; - bdrv_read(cur_drv->bs, fd_sector(cur_drv), - fdctrl->fifo, len); + if (cur_drv->bs) { + bdrv_read(cur_drv->bs, fd_sector(cur_drv), + fdctrl->fifo, len); + } else { + FLOPPY_ERROR("can't read data from drive\n"); + return 0; + } } } retval = fdctrl->fifo[pos]; diff -rpu qemu-0.9.0.orig/hw/i8259.c qemu-0.9.0/hw/i8259.c --- qemu-0.9.0.orig/hw/i8259.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/hw/i8259.c 2007-02-20 21:53:41.000000000 +0000 @@ -299,9 +299,11 @@ static void pic_ioport_write(void *opaqu s->init_state = 1; s->init4 = val & 1; if (val & 0x02) - hw_error("single mode not supported"); + /* hw_error("single mode not supported"); */ + return; if (val & 0x08) - hw_error("level sensitive irq not supported"); + /* hw_error("level sensitive irq not supported"); */ + return; } else if (val & 0x08) { if (val & 0x04) s->poll = 1; diff -rpu qemu-0.9.0.orig/hw/ne2000.c qemu-0.9.0/hw/ne2000.c --- qemu-0.9.0.orig/hw/ne2000.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/hw/ne2000.c 2007-02-20 21:53:41.000000000 +0000 @@ -230,7 +230,7 @@ static void ne2000_receive(void *opaque, { NE2000State *s = opaque; uint8_t *p; - int total_len, next, avail, len, index, mcast_idx; + unsigned int total_len, next, avail, len, index, mcast_idx; uint8_t buf1[60]; static const uint8_t broadcast_macaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; @@ -299,7 +299,11 @@ static void ne2000_receive(void *opaque, /* write packet data */ while (size > 0) { - avail = s->stop - index; + /* taviso: this can wrap, so check its okay. */ + if (index <= s->stop) + avail = s->stop - index; + else + avail = 0; len = size; if (len > avail) len = avail; diff -rpu qemu-0.9.0.orig/hw/pc.c qemu-0.9.0/hw/pc.c --- qemu-0.9.0.orig/hw/pc.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/hw/pc.c 2007-02-20 21:53:41.000000000 +0000 @@ -299,7 +299,8 @@ void bochs_bios_write(void *opaque, uint case 0x400: case 0x401: fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val); - exit(1); + /* according to documentation, these can be safely ignored */ + break; case 0x402: case 0x403: #ifdef DEBUG_BIOS @@ -322,8 +323,9 @@ void bochs_bios_write(void *opaque, uint /* LGPL'ed VGA BIOS messages */ case 0x501: case 0x502: + /* according to documentation, these can be safely ignored */ fprintf(stderr, "VGA BIOS panic, line %d\n", val); - exit(1); + break; case 0x500: case 0x503: #ifdef DEBUG_BIOS diff -rpu qemu-0.9.0.orig/hw/sb16.c qemu-0.9.0/hw/sb16.c --- qemu-0.9.0.orig/hw/sb16.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/hw/sb16.c 2007-02-20 21:53:41.000000000 +0000 @@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in s->block_size); #endif - while (s->left_till_irq <= 0) { - s->left_till_irq = s->block_size + s->left_till_irq; + if (s->block_size) { + while (s->left_till_irq <= 0) { + s->left_till_irq = s->block_size + s->left_till_irq; + } } return dma_pos; diff -rpu qemu-0.9.0.orig/slirp/slirp.c qemu-0.9.0/slirp/slirp.c --- qemu-0.9.0.orig/slirp/slirp.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/slirp/slirp.c 2007-02-20 21:53:41.000000000 +0000 @@ -611,6 +611,10 @@ void slirp_input(const uint8_t *pkt, int if (!m) return; /* Note: we add to align the IP header */ + /* taviso: large values in ne2k TCNT register may exceed msize on transmit */ + if (M_FREEROOM(m) < pkt_len + 2) { + m_inc(m, pkt_len + 2); + } m->m_len = pkt_len + 2; memcpy(m->m_data + 2, pkt, pkt_len); diff -rpu qemu-0.9.0.orig/target-i386/translate.c qemu-0.9.0/target-i386/translate.c --- qemu-0.9.0.orig/target-i386/translate.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/target-i386/translate.c 2007-02-20 21:53:41.000000000 +0000 @@ -5326,7 +5326,12 @@ static target_ulong disas_insn(DisasCont if (CODE64(s)) goto illegal_op; val = ldub_code(s->pc++); - gen_op_aam(val); + /* taviso: operand can be zero */ + if (val) { + gen_op_aam(val); + } else { + gen_exception(s, EXCP00_DIVZ, s->pc - s->cs_base); + } s->cc_op = CC_OP_LOGICB; break; case 0xd5: /* aad */ @@ -5374,6 +5379,7 @@ static target_ulong disas_insn(DisasCont gen_jmp_im(pc_start - s->cs_base); gen_op_into(s->pc - pc_start); break; +#ifdef WANT_ICEBP case 0xf1: /* icebp (undocumented, exits to external debugger) */ #if 1 gen_debug(s, pc_start - s->cs_base); @@ -5383,6 +5389,7 @@ static target_ulong disas_insn(DisasCont cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; +#endif /* icebp */ case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <= s->iopl) { diff -rpu qemu-0.9.0.orig/vl.c qemu-0.9.0/vl.c --- qemu-0.9.0.orig/vl.c 2007-02-05 23:01:54.000000000 +0000 +++ qemu-0.9.0/vl.c 2007-02-20 21:53:41.000000000 +0000 @@ -3329,8 +3329,8 @@ typedef struct NetSocketState { VLANClientState *vc; int fd; int state; /* 0 = getting length, 1 = getting data */ - int index; - int packet_len; + unsigned int index; + unsigned int packet_len; uint8_t buf[4096]; struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */ } NetSocketState; @@ -3361,7 +3361,8 @@ static void net_socket_receive_dgram(voi static void net_socket_send(void *opaque) { NetSocketState *s = opaque; - int l, size, err; + int size, err; + unsigned l; uint8_t buf1[4096]; const uint8_t *buf; @@ -3400,7 +3401,15 @@ static void net_socket_send(void *opaque l = s->packet_len - s->index; if (l > size) l = size; - memcpy(s->buf + s->index, buf, l); + if (s->index + l <= sizeof(s->buf)) { + memcpy(s->buf + s->index, buf, l); + } else { + fprintf(stderr, "serious error: oversized packet received," + "connection terminated.\n"); + s->state = 0; + goto eoc; + } + s->index += l; buf += l; size -= l; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de