diff options
Diffstat (limited to 'recipes-devtools')
-rw-r--r-- | recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch | 77 | ||||
-rw-r--r-- | recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch | 55 | ||||
-rw-r--r-- | recipes-devtools/qemu/qemu_%.bbappend | 6 |
3 files changed, 138 insertions, 0 deletions
diff --git a/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch new file mode 100644 index 0000000..5684062 --- /dev/null +++ b/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From 2ab8276a1cb2bcd0d14d4e05c193252f370b8251 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bruce Rogers <brogers@suse.com> | ||
3 | Date: Mon, 9 Jan 2017 13:35:20 -0700 | ||
4 | Subject: [PATCH] display: cirrus: ignore source pitch value as needed in | ||
5 | blit_is_unsafe | ||
6 | |||
7 | Commit 4299b90 added a check which is too broad, given that the source | ||
8 | pitch value is not required to be initialized for solid fill operations. | ||
9 | This patch refines the blit_is_unsafe() check to ignore source pitch in | ||
10 | that case. After applying the above commit as a security patch, we | ||
11 | noticed the SLES 11 SP4 guest gui failed to initialize properly. | ||
12 | |||
13 | Upstream-Status: Backport [this patch is needed for CVE-2017-2620] | ||
14 | |||
15 | Signed-off-by: Bruce Rogers <brogers@suse.com> | ||
16 | Message-id: 20170109203520.5619-1-brogers@suse.com | ||
17 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
18 | (cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061) | ||
19 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
20 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
21 | --- | ||
22 | hw/display/cirrus_vga.c | 11 +++++++---- | ||
23 | 1 file changed, 7 insertions(+), 4 deletions(-) | ||
24 | |||
25 | diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c | ||
26 | index bdb092e..379910d 100644 | ||
27 | --- a/hw/display/cirrus_vga.c | ||
28 | +++ b/hw/display/cirrus_vga.c | ||
29 | @@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, | ||
30 | return false; | ||
31 | } | ||
32 | |||
33 | -static bool blit_is_unsafe(struct CirrusVGAState *s) | ||
34 | +static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) | ||
35 | { | ||
36 | /* should be the case, see cirrus_bitblt_start */ | ||
37 | assert(s->cirrus_blt_width > 0); | ||
38 | @@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) | ||
39 | s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { | ||
40 | return true; | ||
41 | } | ||
42 | + if (dst_only) { | ||
43 | + return false; | ||
44 | + } | ||
45 | if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, | ||
46 | s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { | ||
47 | return true; | ||
48 | @@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, | ||
49 | |||
50 | dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); | ||
51 | |||
52 | - if (blit_is_unsafe(s)) | ||
53 | + if (blit_is_unsafe(s, false)) | ||
54 | return 0; | ||
55 | |||
56 | (*s->cirrus_rop) (s, dst, src, | ||
57 | @@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) | ||
58 | { | ||
59 | cirrus_fill_t rop_func; | ||
60 | |||
61 | - if (blit_is_unsafe(s)) { | ||
62 | + if (blit_is_unsafe(s, true)) { | ||
63 | return 0; | ||
64 | } | ||
65 | rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; | ||
66 | @@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) | ||
67 | |||
68 | static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) | ||
69 | { | ||
70 | - if (blit_is_unsafe(s)) | ||
71 | + if (blit_is_unsafe(s, false)) | ||
72 | return 0; | ||
73 | |||
74 | return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, | ||
75 | -- | ||
76 | 1.9.1 | ||
77 | |||
diff --git a/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch new file mode 100644 index 0000000..3910fb9 --- /dev/null +++ b/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From fc8e94c3e5e74437c4e73a5582f17cfd4cae5ccf Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Wed, 8 Feb 2017 11:18:36 +0100 | ||
4 | Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo | ||
5 | (CVE-2017-2620) | ||
6 | |||
7 | CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination | ||
8 | and blit width, at all. Oops. Fix it. | ||
9 | |||
10 | Security impact: high. | ||
11 | |||
12 | The missing blit destination check allows to write to host memory. | ||
13 | Basically same as CVE-2014-8106 for the other blit variants. | ||
14 | |||
15 | CVE: CVE-2017-2620 | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Cc: qemu-stable@nongnu.org | ||
19 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
20 | (cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298) | ||
21 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | hw/display/cirrus_vga.c | 8 ++++++++ | ||
25 | 1 file changed, 8 insertions(+) | ||
26 | |||
27 | diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c | ||
28 | index 629a5c8..6766349 100644 | ||
29 | --- a/hw/display/cirrus_vga.c | ||
30 | +++ b/hw/display/cirrus_vga.c | ||
31 | @@ -873,6 +873,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) | ||
32 | { | ||
33 | int w; | ||
34 | |||
35 | + if (blit_is_unsafe(s, true)) { | ||
36 | + return 0; | ||
37 | + } | ||
38 | + | ||
39 | s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; | ||
40 | s->cirrus_srcptr = &s->cirrus_bltbuf[0]; | ||
41 | s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; | ||
42 | @@ -898,6 +902,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) | ||
43 | } | ||
44 | s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; | ||
45 | } | ||
46 | + | ||
47 | + /* the blit_is_unsafe call above should catch this */ | ||
48 | + assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); | ||
49 | + | ||
50 | s->cirrus_srcptr = s->cirrus_bltbuf; | ||
51 | s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; | ||
52 | cirrus_update_memory_access(s); | ||
53 | -- | ||
54 | 1.9.1 | ||
55 | |||
diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend new file mode 100644 index 0000000..96a45b8 --- /dev/null +++ b/recipes-devtools/qemu/qemu_%.bbappend | |||
@@ -0,0 +1,6 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += "file://0001-CVE-2017-2620.patch \ | ||
5 | file://0002-CVE-2017-2620.patch \ | ||
6 | " | ||