From: Li Wang <li.w...@windriver.com> [ CQID: WIND00392008 ]
the patch come from: http://xenbits.xen.org/gitweb/?p=qemu-upstream-unstable.git;a=commit;h=87650d262dea07c955a683dcac75db86477c7ee3 console: bounds check whenever changing the cursor due to an escape code This is XSA-17 / CVE-2012-3515 Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a device model's address space. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3515 Signed-off-by: Ian Campbell <ian.campb...@citrix.com> Signed-off-by: Li Wang <li.w...@windriver.com> Signed-off-by: Robert Yang <liezhi.y...@windriver.com> Signed-off-by: Mark Hatle <mark.ha...@windriver.com> --- .../qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch | 129 +++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_0.15.1.bb | 3 +- 2 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch new file mode 100644 index 0000000..10c8b21 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch @@ -0,0 +1,129 @@ +qemu CVE-2012-3515 + +the patch come from: +http://xenbits.xen.org/gitweb/?p=qemu-upstream-unstable.git;a=commit;h=87650d262dea07c955a683dcac75db86477c7ee3 +console: bounds check whenever changing the cursor due to an escape code +This is XSA-17 / CVE-2012-3515 + +Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating +certain devices with a virtual console backend, allows local OS guest +users to gain privileges via a crafted escape VT100 sequence that triggers +the overwrite of a device model's address space. +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3515 + +Signed-off-by: Ian Campbell <ian.campb...@citrix.com> +Signed-off-by: Li Wang <li.w...@windriver.com> +--- + console.c | 57 ++++++++++++++++++++++++++++----------------------------- + 1 files changed, 28 insertions(+), 29 deletions(-) + +diff --git a/console.c b/console.c +index acd8ca1..ed88462 100644 +--- a/console.c ++++ b/console.c +@@ -833,6 +833,26 @@ static void console_clear_xy(TextConsole *s, int x, int y) + update_xy(s, x, y); + } + ++/* set cursor, checking bounds */ ++static void set_cursor(TextConsole *s, int x, int y) ++{ ++ if (x < 0) { ++ x = 0; ++ } ++ if (y < 0) { ++ y = 0; ++ } ++ if (y >= s->height) { ++ y = s->height - 1; ++ } ++ if (x >= s->width) { ++ x = s->width - 1; ++ } ++ ++ s->x = x; ++ s->y = y; ++} ++ + static void console_putchar(TextConsole *s, int ch) + { + TextCell *c; +@@ -904,7 +924,8 @@ static void console_putchar(TextConsole *s, int ch) + s->esc_params[s->nb_esc_params] * 10 + ch - '0'; + } + } else { +- s->nb_esc_params++; ++ if (s->nb_esc_params < MAX_ESC_PARAMS) ++ s->nb_esc_params++; + if (ch == ';') + break; + #ifdef DEBUG_CONSOLE +@@ -918,59 +939,37 @@ static void console_putchar(TextConsole *s, int ch) + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->y -= s->esc_params[0]; +- if (s->y < 0) { +- s->y = 0; +- } ++ set_cursor(s, s->x, s->y - s->esc_params[0]); + break; + case 'B': + /* move cursor down */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->y += s->esc_params[0]; +- if (s->y >= s->height) { +- s->y = s->height - 1; +- } ++ set_cursor(s, s->x, s->y + s->esc_params[0]); + break; + case 'C': + /* move cursor right */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->x += s->esc_params[0]; +- if (s->x >= s->width) { +- s->x = s->width - 1; +- } ++ set_cursor(s, s->x + s->esc_params[0], s->y); + break; + case 'D': + /* move cursor left */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->x -= s->esc_params[0]; +- if (s->x < 0) { +- s->x = 0; +- } ++ set_cursor(s, s->x - s->esc_params[0], s->y); + break; + case 'G': + /* move cursor to column */ +- s->x = s->esc_params[0] - 1; +- if (s->x < 0) { +- s->x = 0; +- } ++ set_cursor(s, s->esc_params[0] - 1, s->y); + break; + case 'f': + case 'H': + /* move cursor to row, column */ +- s->x = s->esc_params[1] - 1; +- if (s->x < 0) { +- s->x = 0; +- } +- s->y = s->esc_params[0] - 1; +- if (s->y < 0) { +- s->y = 0; +- } ++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1); + break; + case 'J': + switch (s->esc_params[0]) { +-- +1.7.0.5 + diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb index cb0e5dd..75d3d8e 100644 --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb @@ -3,7 +3,7 @@ require qemu.inc LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" -PR = "r11" +PR = "r12" FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" FILESDIR = "${WORKDIR}" @@ -23,6 +23,7 @@ SRC_URI = "\ file://0001-ppc64-Fix-linker-script.patch \ file://ppc-s500-set-invalid-mask.patch \ file://hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch \ + file://qemu-CVE-2012-3515.patch \ " # Only use the GL passthrough patches for native/nativesdk versions -- 1.8.1.2.545.g2f19ada _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
