diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-08-29 10:29:27 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-08-29 13:30:51 +0200 |
commit | a7eb7fc1cd1d8598d44b4b80ccf39855c9b58841 (patch) | |
tree | 989712d0e548ab581351231f87b9f0ff3f80da63 /recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch | |
parent | a60bc47b963ee456ce140cabb1e15a1275a2f67d (diff) | |
download | meta-nfv-access-common-a7eb7fc1cd1d8598d44b4b80ccf39855c9b58841.tar.gz |
qemu: CVE-2017-2620
QEMU built with the Cirrus CLGD 54xx VGA Emulator support
is vulnerable to an out-of-bounds access issue. The issue
could occur while copying VGA data in cirrus_bitblt_cputovideo.
References:
==========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2620
Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch')
-rw-r--r-- | recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch new file mode 100644 index 0000000..3910fb9 --- /dev/null +++ b/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From fc8e94c3e5e74437c4e73a5582f17cfd4cae5ccf Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Wed, 8 Feb 2017 11:18:36 +0100 | ||
4 | Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo | ||
5 | (CVE-2017-2620) | ||
6 | |||
7 | CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination | ||
8 | and blit width, at all. Oops. Fix it. | ||
9 | |||
10 | Security impact: high. | ||
11 | |||
12 | The missing blit destination check allows to write to host memory. | ||
13 | Basically same as CVE-2014-8106 for the other blit variants. | ||
14 | |||
15 | CVE: CVE-2017-2620 | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Cc: qemu-stable@nongnu.org | ||
19 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
20 | (cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298) | ||
21 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | hw/display/cirrus_vga.c | 8 ++++++++ | ||
25 | 1 file changed, 8 insertions(+) | ||
26 | |||
27 | diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c | ||
28 | index 629a5c8..6766349 100644 | ||
29 | --- a/hw/display/cirrus_vga.c | ||
30 | +++ b/hw/display/cirrus_vga.c | ||
31 | @@ -873,6 +873,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) | ||
32 | { | ||
33 | int w; | ||
34 | |||
35 | + if (blit_is_unsafe(s, true)) { | ||
36 | + return 0; | ||
37 | + } | ||
38 | + | ||
39 | s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; | ||
40 | s->cirrus_srcptr = &s->cirrus_bltbuf[0]; | ||
41 | s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; | ||
42 | @@ -898,6 +902,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) | ||
43 | } | ||
44 | s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; | ||
45 | } | ||
46 | + | ||
47 | + /* the blit_is_unsafe call above should catch this */ | ||
48 | + assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); | ||
49 | + | ||
50 | s->cirrus_srcptr = s->cirrus_bltbuf; | ||
51 | s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; | ||
52 | cirrus_update_memory_access(s); | ||
53 | -- | ||
54 | 1.9.1 | ||
55 | |||