The so-called venom CVE-2015-3456 bug has been public for a little while, so go patch your copy of qemu etc.

What's that? You can't, but are interested in a systemtap band-aid? You've come to the right place. Behold:

probe process("/usr/bin/qemu-system-*").function("fdctrl_write") {

  $reg = (($reg & ~7) | 6) # replace register address with 0x__6

  if (!noted[pid()]) { noted[pid()]=1; println("defanging fdc writes, pid=", pid()) }


global noted%

Running it will affect all current and future qemu-system-* processes (while the systemtap script is alive). You will also need the qemu-debuginfo package installed, so systemtap can resolve the fdctrl_write function and its reg parameter.

# stap -g antivenom.stp

defanging fdc writes, pid=21911



As usual, this band-aid works by altering data of the vulnerable program during its execution, not modifying control flow or program text. It is a blunt instrument - completely disabling the floppy-controller emulation, by redirecting I/O to a port number that the emulator harmlessly rejects.

A more surgical correction, permitting I/O but manually wrapping-around the FIFO pointers (as the upstream qemu fix does) may be possible. One option could be to insert probes to modify the fdctrl->data_pos variable used to calculate indexes into the fdctrl->fifo[] array (and then restore it). This seemed a little more tricky, but if someone needs a functional FDC emulation, and a systemtap-based band-aid, such an approach could probably be made to work. Prototypes welcome!