[OE-core] [denzil 15/18] qemu CVE-2012-3515
Mark Hatle
mark.hatle at windriver.com
Thu Feb 7 23:56:42 UTC 2013
From: Li Wang <li.wang at windriver.com>
[ CQID: WIND00392008 ]
the patch come from:
http://xenbits.xen.org/gitweb/?p=qemu-upstream-unstable.git;a=commit;h=87650d262dea07c955a683dcac75db86477c7ee3
console: bounds check whenever changing the cursor due to an escape code
This is XSA-17 / CVE-2012-3515
Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating
certain devices with a virtual console backend, allows local OS guest
users to gain privileges via a crafted escape VT100 sequence that triggers
the overwrite of a device model's address space.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3515
Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
Signed-off-by: Li Wang <li.wang at windriver.com>
Signed-off-by: Robert Yang <liezhi.yang at windriver.com>
Signed-off-by: Mark Hatle <mark.hatle at windriver.com>
---
.../qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch | 129 +++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_0.15.1.bb | 3 +-
2 files changed, 131 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch
diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch
new file mode 100644
index 0000000..10c8b21
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch
@@ -0,0 +1,129 @@
+qemu CVE-2012-3515
+
+the patch come from:
+http://xenbits.xen.org/gitweb/?p=qemu-upstream-unstable.git;a=commit;h=87650d262dea07c955a683dcac75db86477c7ee3
+console: bounds check whenever changing the cursor due to an escape code
+This is XSA-17 / CVE-2012-3515
+
+Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating
+certain devices with a virtual console backend, allows local OS guest
+users to gain privileges via a crafted escape VT100 sequence that triggers
+the overwrite of a device model's address space.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3515
+
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Signed-off-by: Li Wang <li.wang at windriver.com>
+---
+ console.c | 57 ++++++++++++++++++++++++++++-----------------------------
+ 1 files changed, 28 insertions(+), 29 deletions(-)
+
+diff --git a/console.c b/console.c
+index acd8ca1..ed88462 100644
+--- a/console.c
++++ b/console.c
+@@ -833,6 +833,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
+ update_xy(s, x, y);
+ }
+
++/* set cursor, checking bounds */
++static void set_cursor(TextConsole *s, int x, int y)
++{
++ if (x < 0) {
++ x = 0;
++ }
++ if (y < 0) {
++ y = 0;
++ }
++ if (y >= s->height) {
++ y = s->height - 1;
++ }
++ if (x >= s->width) {
++ x = s->width - 1;
++ }
++
++ s->x = x;
++ s->y = y;
++}
++
+ static void console_putchar(TextConsole *s, int ch)
+ {
+ TextCell *c;
+@@ -904,7 +924,8 @@ static void console_putchar(TextConsole *s, int ch)
+ s->esc_params[s->nb_esc_params] * 10 + ch - '0';
+ }
+ } else {
+- s->nb_esc_params++;
++ if (s->nb_esc_params < MAX_ESC_PARAMS)
++ s->nb_esc_params++;
+ if (ch == ';')
+ break;
+ #ifdef DEBUG_CONSOLE
+@@ -918,59 +939,37 @@ static void console_putchar(TextConsole *s, int ch)
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y -= s->esc_params[0];
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->x, s->y - s->esc_params[0]);
+ break;
+ case 'B':
+ /* move cursor down */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y += s->esc_params[0];
+- if (s->y >= s->height) {
+- s->y = s->height - 1;
+- }
++ set_cursor(s, s->x, s->y + s->esc_params[0]);
+ break;
+ case 'C':
+ /* move cursor right */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x += s->esc_params[0];
+- if (s->x >= s->width) {
+- s->x = s->width - 1;
+- }
++ set_cursor(s, s->x + s->esc_params[0], s->y);
+ break;
+ case 'D':
+ /* move cursor left */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x -= s->esc_params[0];
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->x - s->esc_params[0], s->y);
+ break;
+ case 'G':
+ /* move cursor to column */
+- s->x = s->esc_params[0] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->esc_params[0] - 1, s->y);
+ break;
+ case 'f':
+ case 'H':
+ /* move cursor to row, column */
+- s->x = s->esc_params[1] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
+- s->y = s->esc_params[0] - 1;
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
+ break;
+ case 'J':
+ switch (s->esc_params[0]) {
+--
+1.7.0.5
+
diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb
index cb0e5dd..75d3d8e 100644
--- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb
+++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb
@@ -3,7 +3,7 @@ require qemu.inc
LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
-PR = "r11"
+PR = "r12"
FILESPATH = "${FILE_DIRNAME}/qemu-${PV}"
FILESDIR = "${WORKDIR}"
@@ -23,6 +23,7 @@ SRC_URI = "\
file://0001-ppc64-Fix-linker-script.patch \
file://ppc-s500-set-invalid-mask.patch \
file://hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch \
+ file://qemu-CVE-2012-3515.patch \
"
# Only use the GL passthrough patches for native/nativesdk versions
--
1.8.1.2.545.g2f19ada
More information about the Openembedded-core
mailing list