svn commit: r387246 - in head/sysutils/xen-tools: . files
Xin LI
delphij at FreeBSD.org
Sun May 24 07:11:36 UTC 2015
Author: delphij
Date: Sun May 24 07:11:35 2015
New Revision: 387246
URL: https://svnweb.freebsd.org/changeset/ports/387246
Log:
Apply patch from XSA-133 to address CVE-2015-3456 "VENOM" attack.
Obtained from: http://xenbits.xen.org/xsa/advisory-133.html
Security: CVE-2015-3456
Added:
head/sysutils/xen-tools/files/patch-CVE-2015-3456 (contents, props changed)
Modified:
head/sysutils/xen-tools/Makefile
Modified: head/sysutils/xen-tools/Makefile
==============================================================================
--- head/sysutils/xen-tools/Makefile Sun May 24 07:11:34 2015 (r387245)
+++ head/sysutils/xen-tools/Makefile Sun May 24 07:11:35 2015 (r387246)
@@ -3,7 +3,7 @@
PORTNAME= xen
PKGNAMESUFFIX= -tools
PORTVERSION= 4.5.0
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= sysutils emulators
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ \
http://code.coreboot.org/p/seabios/downloads/get/:seabios
Added: head/sysutils/xen-tools/files/patch-CVE-2015-3456
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/xen-tools/files/patch-CVE-2015-3456 Sun May 24 07:11:35 2015 (r387246)
@@ -0,0 +1,114 @@
+--- tools/qemu-xen-traditional/hw/fdc.c.orig 2014-10-06 15:50:24 UTC
++++ tools/qemu-xen-traditional/hw/fdc.c
+@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl
+ {
+ fdrive_t *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+ fdrive_t *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+ fdrive_t *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--- tools/qemu-xen/hw/block/fdc.c.orig 2014-12-02 10:41:02 UTC
++++ tools/qemu-xen/hw/block/fdc.c
+@@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fd
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
More information about the svn-ports-all
mailing list