Index: head/emulators/qemu/Makefile =================================================================== --- head/emulators/qemu/Makefile (revision 386592) +++ head/emulators/qemu/Makefile (revision 386593) @@ -1,162 +1,162 @@ # Created by: Juergen Lock # $FreeBSD$ PORTNAME= qemu PORTVERSION= 0.11.1 -PORTREVISION= 18 +PORTREVISION= 19 CATEGORIES= emulators MASTER_SITES= SAVANNAH \ http://bellard.org/qemu/ DIST_SUBDIR= qemu MAINTAINER= nox@FreeBSD.org COMMENT= QEMU CPU Emulator HAS_CONFIGURE= yes USES= gmake perl5 compiler:features USE_PERL5= build PATCH_STRIP= -p1 MAKE_ENV+= BSD_MAKE="${MAKE}" ONLY_FOR_ARCHS= amd64 i386 CONFLICTS= qemu-devel-[0-9]* qemu-sbruno-[0-9]* OPTIONS_DEFINE= KQEMU RTL8139_TIMER SAMBA SDL GNUTLS CURL PCAP GNS3 \ CDROM_DMA ADD_AUDIO ALL_TARGETS DOCS KQEMU_DESC= Build with (alpha!) accelerator module RTL8139_TIMER_DESC= allow use of re(4) nic with FreeBSD guests SAMBA_DESC= samba dependency (for -smb) SDL_DESC= SDL/X dependency (graphical output) GNUTLS_DESC= gnutls dependency (vnc encryption) CURL_DESC= libcurl dependency (remote images) PCAP_DESC= pcap dependency (networking with bpf) GNS3_DESC= gns3 patches (udp, promiscuous multicast) CDROM_DMA_DESC= IDE CDROM DMA ADD_AUDIO_DESC= Emulate more audio hardware (experimental!) ALL_TARGETS_DESC= Also build non-x86 targets OPTIONS_DEFAULT= SDL GNUTLS CURL PCAP GNS3 CDROM_DMA .include .if ${ARCH} == "i386" && ${COMPILER_TYPE} == "clang" # gcc49 breaks target-i386 on i386, and gcc48 breaks ALL_TARGETS on i386: # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196855 USE_GCC= 4.7 .else USE_GCC= any .endif .if empty(PORT_OPTIONS:MALL_TARGETS) CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu PLIST_SUB+= ALLTARGETS="@comment " .else PLIST_SUB+= ALLTARGETS="" .endif WITHOUT_CPU_CFLAGS=yes #to avoid problems with register allocation CFLAGS:= ${CFLAGS:C/-fno-tree-vrp//} CONFIGURE_ARGS+= --prefix=${PREFIX} --cc=${CC} .if empty(PORT_OPTIONS:MSDL) CONFIGURE_ARGS+= --disable-sdl .else USE_SDL= sdl .endif .if empty(PORT_OPTIONS:MGNUTLS) CONFIGURE_ARGS+= --disable-vnc-tls .else LIB_DEPENDS+= libgnutls.so:${PORTSDIR}/security/gnutls .endif .if empty(PORT_OPTIONS:MCURL) CONFIGURE_ARGS+= --disable-curl .else LIB_DEPENDS+= libcurl.so:${PORTSDIR}/ftp/curl .endif .if ${PORT_OPTIONS:MPCAP} CONFIGURE_ARGS+= --enable-pcap .endif .if ${PORT_OPTIONS:MADD_AUDIO} CONFIGURE_ARGS+= --audio-card-list=ac97,es1370,sb16,cs4231a,adlib,gus .endif # XXX CONFIGURE_ARGS+= --disable-bsd-user .if ${PORT_OPTIONS:MSAMBA} RUN_DEPENDS+= ${LOCALBASE}/sbin/smbd:${PORTSDIR}/net/samba36 .endif .if ${PORT_OPTIONS:MKQEMU} BUILD_DEPENDS+= kqemu-kmod-devel>=1.4.0pre1:${PORTSDIR}/emulators/kqemu-kmod-devel RUN_DEPENDS+= kqemu-kmod-devel>=1.4.0pre1:${PORTSDIR}/emulators/kqemu-kmod-devel .else CONFIGURE_ARGS+= --disable-kqemu .endif .if ${PORT_OPTIONS:MDOCS} BUILD_DEPENDS+= texi2html:${PORTSDIR}/textproc/texi2html .else MAKE_ARGS+= NOPORTDOCS=1 .endif .if !defined(STRIP) || ${STRIP} == "" CONFIGURE_ARGS+=--disable-strip .endif .if ${ARCH} == "amd64" MAKE_ARGS+= ARCH=x86_64 .endif post-extract: @${MKDIR} ${WRKSRC}/kqemu @${TOUCH} ${WRKSRC}/kqemu/Makefile @${ECHO} all: > ${WRKSRC}/kqemu/Makefile.freebsd pre-patch: @for A in ${ONLY_FOR_ARCHS}; do \ ${MKDIR} ${WRKSRC}/bsd/$$A; \ done post-patch: .if ${PORT_OPTIONS:MRTL8139_TIMER} @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/rtl8139-re-patch .endif .if ${PORT_OPTIONS:MPCAP} @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/pcap-patch .endif .if ${PORT_OPTIONS:MGNS3} @cd ${WRKSRC} && ${PATCH} -p1 --quiet < ${FILESDIR}/gns3-patch .endif .if empty(PORT_OPTIONS:MCDROM_DMA) @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/cdrom-dma-patch .endif @${REINPLACE_CMD} -E \ -e "/^by Tibor .TS. S/s|Sch.*z.$$|Schuetz.|" \ ${WRKSRC}/qemu-doc.texi @${REINPLACE_CMD} -E \ -e "s|^(CFLAGS=).*|\1${CFLAGS} -fno-strict-aliasing|" \ -e "s|^(LDFLAGS=).*|\1${LDFLAGS}|" \ ${WRKSRC}/Makefile.target @${REINPLACE_CMD} -E \ -e "s|^(CFLAGS=).*|\1${CFLAGS} -fno-strict-aliasing -I.|" \ -e "s|^(LDFLAGS=).*|\1${LDFLAGS}|" \ ${WRKSRC}/Makefile @${REINPLACE_CMD} -E \ -e "1s|^(#! )/usr/bin/perl|\1${PERL}|" \ ${WRKSRC}/texi2pod.pl # XXX need to disable usb host code on head while it's not ported to the # new usb stack yet post-configure: @${REINPLACE_CMD} -E \ -e "s|^(HOST_USB=)bsd|\1stub|" \ ${WRKSRC}/config-host.mak post-install: @${INSTALL_SCRIPT} ${FILESDIR}/qemu-ifup.sample ${STAGEDIR}${PREFIX}/etc @${INSTALL_SCRIPT} ${FILESDIR}/qemu-ifdown.sample ${STAGEDIR}${PREFIX}/etc .include Index: head/emulators/qemu/files/patch-CVE-2015-3456 =================================================================== --- head/emulators/qemu/files/patch-CVE-2015-3456 (nonexistent) +++ head/emulators/qemu/files/patch-CVE-2015-3456 (revision 386593) @@ -0,0 +1,44 @@ +--- a/hw/fdc.c ++++ b/hw/fdc.c +@@ -1324,7 +1324,7 @@ static uint32_t fdctrl_read_data (fdctrl + { + fdrive_t *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1333,8 +1333,8 @@ static uint32_t fdctrl_read_data (fdctrl + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1680,8 +1680,11 @@ static void fdctrl_handle_option (fdctrl + static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) + { + fdrive_t *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; ++ ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; +- +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ + if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; +@@ -1778,7 +1782,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + { + fdrive_t *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { Property changes on: head/emulators/qemu/files/patch-CVE-2015-3456 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/emulators/qemu-devel/Makefile =================================================================== --- head/emulators/qemu-devel/Makefile (revision 386592) +++ head/emulators/qemu-devel/Makefile (revision 386593) @@ -1,284 +1,285 @@ # Created by: Juergen Lock # $FreeBSD$ PORTNAME= qemu PORTVERSION= 2.3.0 +PORTREVISION= 1 CATEGORIES= emulators MASTER_SITES= http://wiki.qemu.org/download/:release \ LOCAL/nox:snapshot PKGNAMESUFFIX?= -devel DISTFILES= ${DISTNAME}${EXTRACT_SUFX}:release DIST_SUBDIR= qemu/${PORTVERSION} MAINTAINER= nox@FreeBSD.org COMMENT?= QEMU CPU Emulator - development version HAS_CONFIGURE= yes USES= gmake pkgconfig bison perl5 python:2,build tar:bzip2 USE_PERL5= build USE_XORG= pixman USE_GNOME+= glib20 PATCH_STRIP= -p1 MAKE_ENV+= BSD_MAKE="${MAKE}" ONLY_FOR_ARCHS= amd64 i386 powerpc powerpc64 # XXX someone wants to debug sparc64 hosts? OPTIONS_DEFINE= SAMBA X11 GTK2 OPENGL GNUTLS SASL JPEG PNG CURL \ CDROM_DMA PCAP USBREDIR GNS3 X86_TARGETS \ STATIC_LINK DOCS SAMBA_DESC= samba dependency (for -smb) GNUTLS_DESC= gnutls dependency (vnc encryption) SASL_DESC= cyrus-sasl dependency (vnc encryption) JPEG_DESC= jpeg dependency (vnc lossy compression) PNG_DESC= png dependency (vnc compression) CDROM_DMA_DESC= IDE CDROM DMA PCAP_DESC= pcap dependency (networking with bpf) USBREDIR_DESC= usb device network redirection (experimental!) GNS3_DESC= gns3 patches (promiscuous multicast) X86_TARGETS_DESC= Don't build non-x86 system targets BSD_USER_DESC= Also build bsd-user targets (for testing) STATIC_LINK_DESC= Statically link the executables OPTIONS_DEFAULT=X11 GTK2 OPENGL GNUTLS SASL JPEG PNG CDROM_DMA CURL PCAP .if !defined(QEMU_USER_STATIC) CONFLICTS_INSTALL= qemu-[0-9]* qemu-sbruno-[0-9]* .endif .include CONFIGURE_ARGS+= --localstatedir=/var CONFIGURE_ARGS+= --extra-ldflags=-L${LOCALBASE}/lib CONFIGURE_ARGS+= --disable-smartcard-nss --disable-libssh2 PORTDOCS= docs qemu-doc.html qemu-tech.html qmp-commands.txt .if defined(QEMU_USER_STATIC) .if ${ARCH} != "amd64" CONFIGURE_ARGS+= --target-list=i386-bsd-user,sparc-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user .else CONFIGURE_ARGS+= --target-list=i386-bsd-user,x86_64-bsd-user,sparc-bsd-user,sparc64-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user,mips64-bsd-user,mips64el-bsd-user .endif .else .if ${PORT_OPTIONS:MX86_TARGETS} .if ${PORT_OPTIONS:MBSD_USER} .if ${ARCH} != "amd64" CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu,i386-bsd-user,sparc-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user .else CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu,i386-bsd-user,x86_64-bsd-user,sparc-bsd-user,sparc64-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user,mips64-bsd-user,mips64el-bsd-user .endif .else CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu .endif .else .if empty(PORT_OPTIONS:MBSD_USER) CONFIGURE_ARGS+= --disable-bsd-user .else .if ${ARCH} != "amd64" CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu,aarch64-softmmu,alpha-softmmu,arm-softmmu,cris-softmmu,lm32-softmmu,m68k-softmmu,microblaze-softmmu,microblazeel-softmmu,mips-softmmu,mipsel-softmmu,mips64-softmmu,mips64el-softmmu,or32-softmmu,ppc-softmmu,ppcemb-softmmu,ppc64-softmmu,sh4-softmmu,sh4eb-softmmu,sparc-softmmu,sparc64-softmmu,s390x-softmmu,xtensa-softmmu,xtensaeb-softmmu,unicore32-softmmu,moxie-softmmu,i386-bsd-user,sparc-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user .endif .endif .endif .endif .if empty(PORT_OPTIONS:MBSD_USER) PLIST_SUB+= BSD_USER="@comment " .else PLIST_SUB+= BSD_USER="" .if ${ARCH} == "sparc64" IGNORE= bsd-user targets not tested on sparc64 .endif .endif .if empty(PORT_OPTIONS:MBSD_USER) || ${ARCH} != "amd64" PLIST_SUB+= BSD_USER64="@comment " .else PLIST_SUB+= BSD_USER64="" .endif .if ${PORT_OPTIONS:MX86_TARGETS} PLIST_SUB+= NONX86="@comment " .else PLIST_SUB+= NONX86="" .endif .if defined(QEMU_USER_STATIC) PLIST_SUB+= SOFTMMU="@comment " PLIST_SUB+= STATIC="-static" .else PLIST_SUB+= SOFTMMU="" PLIST_SUB+= STATIC="" .endif .if ${PORT_OPTIONS:MGNS3} EXTRA_PATCHES+= ${FILESDIR}/hw_e1000_c.patch .endif WITHOUT_CPU_CFLAGS=yes #to avoid problems with register allocation CFLAGS:= ${CFLAGS:C/-fno-tree-vrp//} CONFIGURE_ARGS+= --prefix=${PREFIX} --cc=${CC} --enable-docs \ --disable-linux-user --disable-linux-aio \ --disable-kvm --disable-xen \ --smbd=${LOCALBASE}/sbin/smbd \ --enable-debug \ --enable-debug-info \ --extra-cflags=-I${WRKSRC}\ -I${LOCALBASE}/include\ -DPREFIX=\\\"${PREFIX}\\\" .if empty(PORT_OPTIONS:MX11) CONFIGURE_ARGS+= --disable-sdl .else CONFIGURE_ARGS+= --enable-sdl USE_SDL= sdl .endif .if empty(PORT_OPTIONS:MGTK2) CONFIGURE_ARGS+= --disable-gtk --disable-vte PLIST_SUB+= GTK2="@comment " .else USE_GNOME+= gtk20 vte USES+= gettext PLIST_SUB+= GTK2="" .endif .if empty(PORT_OPTIONS:MGNUTLS) CONFIGURE_ARGS+= --disable-vnc-tls .else LIB_DEPENDS+= libgnutls.so:${PORTSDIR}/security/gnutls .endif .if empty(PORT_OPTIONS:MSASL) CONFIGURE_ARGS+= --disable-vnc-sasl .else LIB_DEPENDS+= libsasl2.so:${PORTSDIR}/security/cyrus-sasl2 .endif .if empty(PORT_OPTIONS:MJPEG) CONFIGURE_ARGS+= --disable-vnc-jpeg .else LIB_DEPENDS+= libjpeg.so:${PORTSDIR}/graphics/jpeg .endif .if empty(PORT_OPTIONS:MPNG) CONFIGURE_ARGS+= --disable-vnc-png .else LIB_DEPENDS+= libpng.so:${PORTSDIR}/graphics/png .endif .if empty(PORT_OPTIONS:MCURL) CONFIGURE_ARGS+= --disable-curl .else LIB_DEPENDS+= libcurl.so:${PORTSDIR}/ftp/curl .endif .if empty(PORT_OPTIONS:MOPENGL) CONFIGURE_ARGS+= --disable-opengl .else USE_GL= yes .endif .if empty(PORT_OPTIONS:MUSBREDIR) CONFIGURE_ARGS+= --disable-usb-redir .else BUILD_DEPENDS+= usbredir>=0.6:${PORTSDIR}/net/usbredir RUN_DEPENDS+= usbredir>=0.6:${PORTSDIR}/net/usbredir .endif .if ${PORT_OPTIONS:MPCAP} CONFIGURE_ARGS+= --enable-pcap .endif .if ${PORT_OPTIONS:MSTATIC_LINK} .if ${PORT_OPTIONS:MGTK2} || ${PORT_OPTIONS:MX11} IGNORE= X11 ui cannot be built static .endif CONFIGURE_ARGS+= --static .endif .if ${PORT_OPTIONS:MSAMBA} RUN_DEPENDS+= ${LOCALBASE}/sbin/smbd:${PORTSDIR}/net/samba36 .endif .if ${PORT_OPTIONS:MDOCS} BUILD_DEPENDS+= texi2html:${PORTSDIR}/textproc/texi2html USES+= makeinfo .else MAKE_ARGS+= NOPORTDOCS=1 .endif .if !defined(STRIP) || ${STRIP} == "" CONFIGURE_ARGS+=--disable-strip .endif .if ${ARCH} == "amd64" MAKE_ARGS+= ARCH=x86_64 .endif .if ${ARCH} == "powerpc" MAKE_ARGS+= ARCH=ppc .endif .if ${ARCH} == "powerpc64" MAKE_ARGS+= ARCH=ppc64 .endif .if ${ARCH} == "sparc64" CONFIGURE_ARGS+= --sparc_cpu=v9 .endif .if ${OSVERSION} < 900033 BUILD_DEPENDS+= ${LOCALBASE}/bin/as:${PORTSDIR}/devel/binutils CONFIGURE_ENV+= AS=${LOCALBASE}/bin/as CONFIGURE_ENV+= LD=${LOCALBASE}/bin/ld CONFIGURE_ENV+= COMPILER_PATH=${LOCALBASE}/bin MAKE_ENV+= COMPILER_PATH=${LOCALBASE}/bin .endif CONFIGURE_ARGS+= --python=${PYTHON_CMD} # -lprocstat actually only _needs_ -lelf after r249666 or r250870 (MFC) # but it shouldn't matter much post-patch: .if ${OSVERSION} < 900000 @${REINPLACE_CMD} -e '/LIBS/s|-lprocstat||' ${WRKSRC}/configure .else @${REINPLACE_CMD} -e '/LIBS/s|-lprocstat|-lprocstat -lelf|' \ ${WRKSRC}/configure .endif @${REINPLACE_CMD} -e '/libs_qga=/s|glib_libs|glib_libs -lintl|' ${WRKSRC}/configure .if ${PORT_OPTIONS:MPCAP} @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/pcap-patch .endif .if empty(PORT_OPTIONS:MCDROM_DMA) @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/cdrom-dma-patch .endif @${REINPLACE_CMD} -E \ -e "/^by Tibor .TS. S/s|Sch.*z.$$|Schuetz.|" \ ${WRKSRC}/qemu-doc.texi @${REINPLACE_CMD} -E \ -e "s|^(CFLAGS=).*|\1${CFLAGS} -fno-strict-aliasing|" \ -e "s|^(LDFLAGS=).*|\1${LDFLAGS}|" \ ${WRKSRC}/Makefile.target @${REINPLACE_CMD} -E \ -e "s|^(CFLAGS=).*|\1${CFLAGS} -fno-strict-aliasing -I.|" \ -e "s|^(LDFLAGS=).*|\1${LDFLAGS}|" \ ${WRKSRC}/Makefile @${REINPLACE_CMD} -E \ -e "1s|^(#! )/usr/bin/perl|\1${PERL}|" \ ${WRKSRC}/scripts/texi2pod.pl # XXX need to disable usb host code on head while it's not ported to the # new usb stack yet post-configure: @${REINPLACE_CMD} -E \ -e "s|^(HOST_USB=)bsd|\1stub|" \ ${WRKSRC}/config-host.mak .if !target(post-install) post-install: .if ${PORT_OPTIONS:MDOCS} @(cd ${WRKSRC} && ${COPYTREE_SHARE} docs ${STAGEDIR}${DOCSDIR}/) .endif ${INSTALL_SCRIPT} ${FILESDIR}/qemu-ifup.sample ${STAGEDIR}${PREFIX}/etc ${INSTALL_SCRIPT} ${FILESDIR}/qemu-ifdown.sample ${STAGEDIR}${PREFIX}/etc @(cd ${STAGEDIR}${PREFIX}/etc/qemu && \ ${MV} -i target-x86_64.conf target-x86_64.conf.sample) @${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/qemu-* .endif .include Index: head/emulators/qemu-devel/files/patch-CVE-2015-3456 =================================================================== --- head/emulators/qemu-devel/files/patch-CVE-2015-3456 (nonexistent) +++ head/emulators/qemu-devel/files/patch-CVE-2015-3456 (revision 386593) @@ -0,0 +1,84 @@ +From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek +Reviewed-by: John Snow +Signed-off-by: John Snow +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +1.7.0.4 + Property changes on: head/emulators/qemu-devel/files/patch-CVE-2015-3456 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/emulators/qemu-sbruno/Makefile =================================================================== --- head/emulators/qemu-sbruno/Makefile (revision 386592) +++ head/emulators/qemu-sbruno/Makefile (revision 386593) @@ -1,300 +1,301 @@ # Created by: Juergen Lock # $FreeBSD$ PORTNAME= qemu PORTVERSION= 2.3.50.g20150501 +PORTREVISION= 1 CATEGORIES= emulators MASTER_SITES= GH \ LOCAL/nox \ LOCAL/nox:dtc \ http://people.freebsd.org/~nox/tmp/distfiles/ \ http://people.freebsd.org/~nox/tmp/distfiles/:dtc PKGNAMESUFFIX?= -sbruno DISTFILES= ${DISTNAME}${EXTRACT_SUFX} \ dtc-v1.4.0${EXTRACT_SUFX}:dtc DIST_SUBDIR= qemu/${PORTVERSION} MAINTAINER= nox@FreeBSD.org COMMENT?= QEMU CPU Emulator - github bsd-user branch USE_GITHUB= yes GH_ACCOUNT= seanbruno GH_PROJECT= ${PORTNAME}-bsd-user GH_TAGNAME= 38afafe HAS_CONFIGURE= yes USES= gmake pkgconfig bison perl5 python:2,build USE_PERL5= build USE_XORG= pixman USE_GNOME+= glib20 PATCH_STRIP= -p1 MAKE_ENV+= BSD_MAKE="${MAKE}" ONLY_FOR_ARCHS= amd64 i386 powerpc powerpc64 # XXX someone wants to debug sparc64 hosts? OPTIONS_DEFINE= SAMBA X11 GTK2 OPENGL GNUTLS SASL JPEG PNG CURL \ CDROM_DMA PCAP USBREDIR X86_TARGETS BSD_USER \ STATIC_LINK DOCS SAMBA_DESC= samba dependency (for -smb) GNUTLS_DESC= gnutls dependency (vnc encryption) SASL_DESC= cyrus-sasl dependency (vnc encryption) JPEG_DESC= jpeg dependency (vnc lossy compression) PNG_DESC= png dependency (vnc compression) CDROM_DMA_DESC= IDE CDROM DMA PCAP_DESC= pcap dependency (networking with bpf) USBREDIR_DESC= usb device network redirection (experimental!) X86_TARGETS_DESC= Don't build non-x86 system targets BSD_USER_DESC= Also build bsd-user targets (for testing) STATIC_LINK_DESC= Statically link the executables OPTIONS_DEFAULT=X11 GTK2 OPENGL GNUTLS SASL JPEG PNG CDROM_DMA CURL PCAP .if !defined(QEMU_USER_STATIC) CONFLICTS_INSTALL= qemu-[0-9]* qemu-devel-* .endif .if defined(QEMU_USER_STATIC) .if exists(/usr/sbin/binmiscctl) USE_RC_SUBR= qemu_user_static SUB_LIST= NAME=qemu_user_static .endif .endif .include CONFIGURE_ARGS+= --localstatedir=/var CONFIGURE_ARGS+= --extra-ldflags=-L${LOCALBASE}/lib CONFIGURE_ARGS+= --disable-smartcard-nss --disable-libssh2 PORTDOCS= docs qemu-doc.html qemu-tech.html qmp-commands.txt .if defined(QEMU_USER_STATIC) .if ${ARCH} != "amd64" CONFIGURE_ARGS+= --target-list=i386-bsd-user,sparc-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user,ppc-bsd-user .else CONFIGURE_ARGS+= --target-list=i386-bsd-user,x86_64-bsd-user,sparc-bsd-user,sparc64-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user,mips64-bsd-user,mips64el-bsd-user,ppc-bsd-user,ppc64-bsd-user,aarch64-bsd-user .endif .else .if ${PORT_OPTIONS:MX86_TARGETS} .if ${PORT_OPTIONS:MBSD_USER} .if ${ARCH} != "amd64" CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu,i386-bsd-user,sparc-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user,ppc-bsd-user .else CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu,i386-bsd-user,x86_64-bsd-user,sparc-bsd-user,sparc64-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user,mips64-bsd-user,mips64el-bsd-user,ppc-bsd-user,ppc64-bsd-user,aarch64-bsd-user .endif .else CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu .endif .else .if empty(PORT_OPTIONS:MBSD_USER) CONFIGURE_ARGS+= --disable-bsd-user .else .if ${ARCH} != "amd64" CONFIGURE_ARGS+= --target-list=i386-softmmu,x86_64-softmmu,aarch64-softmmu,alpha-softmmu,arm-softmmu,cris-softmmu,lm32-softmmu,m68k-softmmu,microblaze-softmmu,microblazeel-softmmu,mips-softmmu,mipsel-softmmu,mips64-softmmu,mips64el-softmmu,or32-softmmu,ppc-softmmu,ppcemb-softmmu,ppc64-softmmu,sh4-softmmu,sh4eb-softmmu,sparc-softmmu,sparc64-softmmu,s390x-softmmu,xtensa-softmmu,xtensaeb-softmmu,unicore32-softmmu,moxie-softmmu,i386-bsd-user,sparc-bsd-user,arm-bsd-user,mips-bsd-user,mipsel-bsd-user,ppc-bsd-user .endif .endif .endif .endif .if empty(PORT_OPTIONS:MBSD_USER) PLIST_SUB+= BSD_USER="@comment " .else PLIST_SUB+= BSD_USER="" .if ${ARCH} == "sparc64" IGNORE= bsd-user targets not tested on sparc64 .endif .endif .if empty(PORT_OPTIONS:MBSD_USER) || ${ARCH} != "amd64" PLIST_SUB+= BSD_USER64="@comment " .else PLIST_SUB+= BSD_USER64="" .endif .if ${PORT_OPTIONS:MX86_TARGETS} PLIST_SUB+= NONX86="@comment " .else PLIST_SUB+= NONX86="" .endif .if defined(QEMU_USER_STATIC) PLIST_SUB+= SOFTMMU="@comment " PLIST_SUB+= STATIC="-static" .else PLIST_SUB+= SOFTMMU="" PLIST_SUB+= STATIC="" .endif #.if ${PORT_OPTIONS:MGNS3} #EXTRA_PATCHES+= ${FILESDIR}/hw_e1000_c.patch #.endif WITHOUT_CPU_CFLAGS=yes #to avoid problems with register allocation CFLAGS:= ${CFLAGS:C/-fno-tree-vrp//} CONFIGURE_ARGS+= --prefix=${PREFIX} --cc=${CC} --enable-docs \ --disable-linux-user --disable-linux-aio \ --disable-kvm --disable-xen \ --smbd=${LOCALBASE}/sbin/smbd \ --enable-debug \ --enable-debug-info \ --extra-cflags=-I${WRKSRC}\ -I${LOCALBASE}/include\ -DPREFIX=\\\"${PREFIX}\\\" .if empty(PORT_OPTIONS:MX11) CONFIGURE_ARGS+= --disable-sdl .else CONFIGURE_ARGS+= --enable-sdl USE_SDL= sdl .endif .if empty(PORT_OPTIONS:MGTK2) CONFIGURE_ARGS+= --disable-gtk --disable-vte PLIST_SUB+= GTK2="@comment " .else USE_GNOME+= gtk20 vte USES+= gettext PLIST_SUB+= GTK2="" .endif .if empty(PORT_OPTIONS:MGNUTLS) CONFIGURE_ARGS+= --disable-vnc-tls .else LIB_DEPENDS+= libgnutls.so:${PORTSDIR}/security/gnutls .endif .if empty(PORT_OPTIONS:MSASL) CONFIGURE_ARGS+= --disable-vnc-sasl .else LIB_DEPENDS+= libsasl2.so:${PORTSDIR}/security/cyrus-sasl2 .endif .if empty(PORT_OPTIONS:MJPEG) CONFIGURE_ARGS+= --disable-vnc-jpeg .else LIB_DEPENDS+= libjpeg.so:${PORTSDIR}/graphics/jpeg .endif .if empty(PORT_OPTIONS:MPNG) CONFIGURE_ARGS+= --disable-vnc-png .else LIB_DEPENDS+= libpng.so:${PORTSDIR}/graphics/png .endif .if empty(PORT_OPTIONS:MCURL) CONFIGURE_ARGS+= --disable-curl .else LIB_DEPENDS+= libcurl.so:${PORTSDIR}/ftp/curl .endif .if empty(PORT_OPTIONS:MOPENGL) CONFIGURE_ARGS+= --disable-opengl .else USE_GL= yes .endif .if empty(PORT_OPTIONS:MUSBREDIR) CONFIGURE_ARGS+= --disable-usb-redir .else BUILD_DEPENDS+= usbredir>=0.6:${PORTSDIR}/net/usbredir RUN_DEPENDS+= usbredir>=0.6:${PORTSDIR}/net/usbredir .endif .if ${PORT_OPTIONS:MPCAP} CONFIGURE_ARGS+= --enable-pcap .else CONFIGURE_ARGS+= --disable-pcap .endif .if ${PORT_OPTIONS:MSTATIC_LINK} .if ${PORT_OPTIONS:MGTK2} || ${PORT_OPTIONS:MX11} IGNORE= X11 ui cannot be built static .endif CONFIGURE_ARGS+= --static .endif .if ${PORT_OPTIONS:MSAMBA} RUN_DEPENDS+= ${LOCALBASE}/sbin/smbd:${PORTSDIR}/net/samba36 .endif .if ${PORT_OPTIONS:MDOCS} BUILD_DEPENDS+= texi2html:${PORTSDIR}/textproc/texi2html USES+= makeinfo .else MAKE_ARGS+= NOPORTDOCS=1 .endif .if !defined(STRIP) || ${STRIP} == "" CONFIGURE_ARGS+=--disable-strip .endif .if ${ARCH} == "amd64" MAKE_ARGS+= ARCH=x86_64 .endif .if ${ARCH} == "powerpc" MAKE_ARGS+= ARCH=ppc .endif .if ${ARCH} == "powerpc64" MAKE_ARGS+= ARCH=ppc64 .endif .if ${ARCH} == "sparc64" CONFIGURE_ARGS+= --sparc_cpu=v9 .endif .if ${OSVERSION} < 900033 BUILD_DEPENDS+= ${LOCALBASE}/bin/as:${PORTSDIR}/devel/binutils CONFIGURE_ENV+= LD=${LOCALBASE}/bin/ld CONFIGURE_ENV+= COMPILER_PATH=${LOCALBASE}/bin MAKE_ENV+= COMPILER_PATH=${LOCALBASE}/bin .endif CONFIGURE_ARGS+= --python=${PYTHON_CMD} # -lprocstat actually only _needs_ -lelf after r249666 or r250870 (MFC) # but it shouldn't matter much post-patch: @${MV} ${WRKDIR}/dtc ${WRKSRC} .if ${OSVERSION} < 900000 @${REINPLACE_CMD} -e '/LIBS/s|-lprocstat||' ${WRKSRC}/configure .else @${REINPLACE_CMD} -e '/LIBS/s|-lprocstat|-lprocstat -lelf|' \ ${WRKSRC}/configure .endif @${REINPLACE_CMD} -e '/libs_qga=/s|glib_libs|glib_libs -lintl|' ${WRKSRC}/configure #.if ${PORT_OPTIONS:MPCAP} # @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/pcap-patch #.endif .if empty(PORT_OPTIONS:MCDROM_DMA) @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/cdrom-dma-patch .endif @${REINPLACE_CMD} -E \ -e "/^by Tibor .TS. S/s|Sch.*z.$$|Schuetz.|" \ ${WRKSRC}/qemu-doc.texi @${REINPLACE_CMD} -E \ -e "s|^(CFLAGS=).*|\1${CFLAGS} -fno-strict-aliasing|" \ -e "s|^(LDFLAGS=).*|\1${LDFLAGS}|" \ ${WRKSRC}/Makefile.target @${REINPLACE_CMD} -E \ -e "s|^(CFLAGS=).*|\1${CFLAGS} -fno-strict-aliasing -I.|" \ -e "s|^(LDFLAGS=).*|\1${LDFLAGS}|" \ ${WRKSRC}/Makefile @${REINPLACE_CMD} -E \ -e "1s|^(#! )/usr/bin/perl|\1${PERL}|" \ ${WRKSRC}/scripts/texi2pod.pl # XXX need to disable usb host code on head while it's not ported to the # new usb stack yet post-configure: @${REINPLACE_CMD} -E \ -e "s|^(HOST_USB=)bsd|\1stub|" \ ${WRKSRC}/config-host.mak .if !target(post-install) post-install: .if ${PORT_OPTIONS:MDOCS} @(cd ${WRKSRC} && ${COPYTREE_SHARE} docs ${STAGEDIR}${DOCSDIR}/) .endif ${INSTALL_SCRIPT} ${FILESDIR}/qemu-ifup.sample ${STAGEDIR}${PREFIX}/etc ${INSTALL_SCRIPT} ${FILESDIR}/qemu-ifdown.sample ${STAGEDIR}${PREFIX}/etc @(cd ${STAGEDIR}${PREFIX}/etc/qemu && \ ${MV} -i target-x86_64.conf target-x86_64.conf.sample) @${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/qemu-* .endif .include Index: head/emulators/qemu-sbruno/files/patch-CVE-2015-3456 =================================================================== --- head/emulators/qemu-sbruno/files/patch-CVE-2015-3456 (nonexistent) +++ head/emulators/qemu-sbruno/files/patch-CVE-2015-3456 (revision 386593) @@ -0,0 +1,84 @@ +From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek +Reviewed-by: John Snow +Signed-off-by: John Snow +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +1.7.0.4 + Property changes on: head/emulators/qemu-sbruno/files/patch-CVE-2015-3456 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property