summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2017-05-10 12:17:32 (GMT)
committerAdrian Dudau <adrian.dudau@enea.com>2017-05-11 13:28:43 (GMT)
commit71d585a8deafbeea66a517313d9ae10862484d22 (patch)
tree62f5374c4202f9885e855ef824ffe9e1231c1801
parent07c94f74cda62c672e7e80292f917a76e1214be0 (diff)
downloadpoky-71d585a8deafbeea66a517313d9ae10862484d22.tar.gz
qemu: Upgrade 2.5.1 -> 2.5.1.1
This is a minor upgrade only comes with security fixes in qemu VGA and UART code to avoid corruptions (CVE-2016-3710 and CVE-2016-3712). For review details, http://git.qemu.org/?p=qemu.git;a=log;h=v2.5.1.1 (From OE-Core rev: da522c0c248c9a8b10a90de4cd6e7e05367e637d) This patch is backported from upstream morty branch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/patch/?id=b0207e742542cc44086d612df0a216cc45875538 Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch112
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p1.patch73
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch132
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p3.patch34
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch80
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.5.1.1.bb (renamed from meta/recipes-devtools/qemu/qemu_2.5.1.bb)9
6 files changed, 2 insertions, 438 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
deleted file mode 100644
index d3cd52b..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
+++ /dev/null
@@ -1,112 +0,0 @@
1From 4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 26 Apr 2016 08:49:10 +0200
4Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710)
5
6vga allows banked access to video memory using the window at 0xa00000
7and it supports a different access modes with different address
8calculations.
9
10The VBE bochs extentions support banked access too, using the
11VBE_DISPI_INDEX_BANK register. The code tries to take the different
12address calculations into account and applies different limits to
13VBE_DISPI_INDEX_BANK depending on the current access mode.
14
15Which is probably effective in stopping misprogramming by accident.
16But from a security point of view completely useless as an attacker
17can easily change access modes after setting the bank register.
18
19Drop the bogus check, add range checks to vga_mem_{readb,writeb}
20instead.
21
22Fixes: CVE-2016-3710
23Reported-by: Qinghao Tang <luodalongde@gmail.com>
24Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
25Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
26
27Upstream-Status: Backport
28CVE: CVE-2016-3710
29Signed-off-by: Armin Kuster <akuster@mvista.com>
30---
31 hw/display/vga.c | 24 ++++++++++++++++++------
32 1 file changed, 18 insertions(+), 6 deletions(-)
33
34diff --git a/hw/display/vga.c b/hw/display/vga.c
35index 9f68394..442fee9 100644
36--- a/hw/display/vga.c
37+++ b/hw/display/vga.c
38@@ -177,6 +177,7 @@ static void vga_update_memory_access(VGACommonState *s)
39 size = 0x8000;
40 break;
41 }
42+ assert(offset + size <= s->vram_size);
43 memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram),
44 "vga.chain4", &s->vram, offset, size);
45 memory_region_add_subregion_overlap(s->legacy_address_space, base,
46@@ -714,11 +715,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
47 vbe_fixup_regs(s);
48 break;
49 case VBE_DISPI_INDEX_BANK:
50- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
51- val &= (s->vbe_bank_mask >> 2);
52- } else {
53- val &= s->vbe_bank_mask;
54- }
55+ val &= s->vbe_bank_mask;
56 s->vbe_regs[s->vbe_index] = val;
57 s->bank_offset = (val << 16);
58 vga_update_memory_access(s);
59@@ -817,13 +814,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
60
61 if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
62 /* chain 4 mode : simplest access */
63+ assert(addr < s->vram_size);
64 ret = s->vram_ptr[addr];
65 } else if (s->gr[VGA_GFX_MODE] & 0x10) {
66 /* odd/even mode (aka text mode mapping) */
67 plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
68- ret = s->vram_ptr[((addr & ~1) << 1) | plane];
69+ addr = ((addr & ~1) << 1) | plane;
70+ if (addr >= s->vram_size) {
71+ return 0xff;
72+ }
73+ ret = s->vram_ptr[addr];
74 } else {
75 /* standard VGA latched access */
76+ if (addr * sizeof(uint32_t) >= s->vram_size) {
77+ return 0xff;
78+ }
79 s->latch = ((uint32_t *)s->vram_ptr)[addr];
80
81 if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
82@@ -880,6 +885,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
83 plane = addr & 3;
84 mask = (1 << plane);
85 if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
86+ assert(addr < s->vram_size);
87 s->vram_ptr[addr] = val;
88 #ifdef DEBUG_VGA_MEM
89 printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
90@@ -893,6 +899,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
91 mask = (1 << plane);
92 if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
93 addr = ((addr & ~1) << 1) | plane;
94+ if (addr >= s->vram_size) {
95+ return;
96+ }
97 s->vram_ptr[addr] = val;
98 #ifdef DEBUG_VGA_MEM
99 printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
100@@ -966,6 +975,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
101 mask = s->sr[VGA_SEQ_PLANE_WRITE];
102 s->plane_updated |= mask; /* only used to detect font change */
103 write_mask = mask16[mask];
104+ if (addr * sizeof(uint32_t) >= s->vram_size) {
105+ return;
106+ }
107 ((uint32_t *)s->vram_ptr)[addr] =
108 (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) |
109 (val & write_mask);
110--
1112.7.4
112
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p1.patch
deleted file mode 100644
index 07582ef..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p1.patch
+++ /dev/null
@@ -1,73 +0,0 @@
1From 46aff2c7e91ef9f372ad38ba5e90c42b9b27ac75 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 26 Apr 2016 14:11:34 +0200
4Subject: [PATCH 1/4] vga: add vbe_enabled() helper
5
6Makes code a bit easier to read.
7
8Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
9Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
10
11Upstream-Status: Backport
12CVE: CVE-2016-3712 patch1
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15---
16 hw/display/vga.c | 13 +++++++++----
17 1 file changed, 9 insertions(+), 4 deletions(-)
18
19diff --git a/hw/display/vga.c b/hw/display/vga.c
20index 442fee9..cc1a682 100644
21--- a/hw/display/vga.c
22+++ b/hw/display/vga.c
23@@ -140,6 +140,11 @@ static uint32_t expand4[256];
24 static uint16_t expand2[256];
25 static uint8_t expand4to8[16];
26
27+static inline bool vbe_enabled(VGACommonState *s)
28+{
29+ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
30+}
31+
32 static void vga_update_memory_access(VGACommonState *s)
33 {
34 hwaddr base, offset, size;
35@@ -562,7 +567,7 @@ static void vbe_fixup_regs(VGACommonState *s)
36 uint16_t *r = s->vbe_regs;
37 uint32_t bits, linelength, maxy, offset;
38
39- if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
40+ if (!vbe_enabled(s)) {
41 /* vbe is turned off -- nothing to do */
42 return;
43 }
44@@ -1056,7 +1061,7 @@ static void vga_get_offsets(VGACommonState *s,
45 {
46 uint32_t start_addr, line_offset, line_compare;
47
48- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
49+ if (vbe_enabled(s)) {
50 line_offset = s->vbe_line_offset;
51 start_addr = s->vbe_start_addr;
52 line_compare = 65535;
53@@ -1381,7 +1386,7 @@ static int vga_get_bpp(VGACommonState *s)
54 {
55 int ret;
56
57- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
58+ if (vbe_enabled(s)) {
59 ret = s->vbe_regs[VBE_DISPI_INDEX_BPP];
60 } else {
61 ret = 0;
62@@ -1393,7 +1398,7 @@ static void vga_get_resolution(VGACommonState *s, int *pwidth, int *pheight)
63 {
64 int width, height;
65
66- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
67+ if (vbe_enabled(s)) {
68 width = s->vbe_regs[VBE_DISPI_INDEX_XRES];
69 height = s->vbe_regs[VBE_DISPI_INDEX_YRES];
70 } else {
71--
722.7.4
73
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch
deleted file mode 100644
index 11330d7..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch
+++ /dev/null
@@ -1,132 +0,0 @@
1From 2f2f74e87c15e830f5a4dda7a166effcab5047ec Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 26 Apr 2016 15:24:18 +0200
4Subject: [PATCH 2/4] vga: factor out vga register setup
5
6When enabling vbe mode qemu will setup a bunch of vga registers to make
7sure the vga emulation operates in correct mode for a linear
8framebuffer. Move that code to a separate function so we can call it
9from other places too.
10
11Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
12Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
13
14Upstream-Status: Backport
15CVE: CVE-2016-3712 patch2
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------
20 1 file changed, 44 insertions(+), 34 deletions(-)
21
22diff --git a/hw/display/vga.c b/hw/display/vga.c
23index cc1a682..f1987e3 100644
24--- a/hw/display/vga.c
25+++ b/hw/display/vga.c
26@@ -642,6 +642,49 @@ static void vbe_fixup_regs(VGACommonState *s)
27 s->vbe_start_addr = offset / 4;
28 }
29
30+/* we initialize the VGA graphic mode */
31+static void vbe_update_vgaregs(VGACommonState *s)
32+{
33+ int h, shift_control;
34+
35+ if (!vbe_enabled(s)) {
36+ /* vbe is turned off -- nothing to do */
37+ return;
38+ }
39+
40+ /* graphic mode + memory map 1 */
41+ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
42+ VGA_GR06_GRAPHICS_MODE;
43+ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
44+ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
45+ /* width */
46+ s->cr[VGA_CRTC_H_DISP] =
47+ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
48+ /* height (only meaningful if < 1024) */
49+ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
50+ s->cr[VGA_CRTC_V_DISP_END] = h;
51+ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
52+ ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
53+ /* line compare to 1023 */
54+ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
55+ s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
56+ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
57+
58+ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
59+ shift_control = 0;
60+ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
61+ } else {
62+ shift_control = 2;
63+ /* set chain 4 mode */
64+ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
65+ /* activate all planes */
66+ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
67+ }
68+ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
69+ (shift_control << 5);
70+ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
71+}
72+
73 static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr)
74 {
75 VGACommonState *s = opaque;
76@@ -728,52 +771,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
77 case VBE_DISPI_INDEX_ENABLE:
78 if ((val & VBE_DISPI_ENABLED) &&
79 !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
80- int h, shift_control;
81
82 s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0;
83 s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0;
84 s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0;
85 s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED;
86 vbe_fixup_regs(s);
87+ vbe_update_vgaregs(s);
88
89 /* clear the screen */
90 if (!(val & VBE_DISPI_NOCLEARMEM)) {
91 memset(s->vram_ptr, 0,
92 s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset);
93 }
94-
95- /* we initialize the VGA graphic mode */
96- /* graphic mode + memory map 1 */
97- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
98- VGA_GR06_GRAPHICS_MODE;
99- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
100- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
101- /* width */
102- s->cr[VGA_CRTC_H_DISP] =
103- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
104- /* height (only meaningful if < 1024) */
105- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
106- s->cr[VGA_CRTC_V_DISP_END] = h;
107- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
108- ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
109- /* line compare to 1023 */
110- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
111- s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
112- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
113-
114- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
115- shift_control = 0;
116- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
117- } else {
118- shift_control = 2;
119- /* set chain 4 mode */
120- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
121- /* activate all planes */
122- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
123- }
124- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
125- (shift_control << 5);
126- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
127 } else {
128 s->bank_offset = 0;
129 }
130--
1312.7.4
132
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p3.patch
deleted file mode 100644
index 3e6644d..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p3.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From a6e5e5dd4bbc022acbd10ebcf415a6a57418d09e Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 26 Apr 2016 15:39:22 +0200
4Subject: [PATCH 3/4] vga: update vga register setup on vbe changes
5
6Call the new vbe_update_vgaregs() function on vbe configuration
7changes, to make sure vga registers are up-to-date.
8
9Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
11
12Upstream-Status: Backport
13CVE: CVE-2016-3712 patch3
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 hw/display/vga.c | 1 +
18 1 file changed, 1 insertion(+)
19
20diff --git a/hw/display/vga.c b/hw/display/vga.c
21index f1987e3..10ac7df 100644
22--- a/hw/display/vga.c
23+++ b/hw/display/vga.c
24@@ -761,6 +761,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
25 case VBE_DISPI_INDEX_Y_OFFSET:
26 s->vbe_regs[s->vbe_index] = val;
27 vbe_fixup_regs(s);
28+ vbe_update_vgaregs(s);
29 break;
30 case VBE_DISPI_INDEX_BANK:
31 val &= s->vbe_bank_mask;
32--
332.7.4
34
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
deleted file mode 100644
index 96e980a..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
+++ /dev/null
@@ -1,80 +0,0 @@
1From 44b86aa32e4147c727fadd9a0f0bc503a5dedb72 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 26 Apr 2016 14:48:06 +0200
4Subject: [PATCH 4/4] vga: make sure vga register setup for vbe stays intact
5 (CVE-2016-3712).
6
7Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
8registers, to make sure the vga registers will always have the
9values needed by vbe mode. This makes sure the sanity checks
10applied by vbe_fixup_regs() are effective.
11
12Without this guests can muck with shift_control, can turn on planar
13vga modes or text mode emulation while VBE is active, making qemu
14take code paths meant for CGA compatibility, but with the very
15large display widths and heigts settable using VBE registers.
16
17Which is good for one or another buffer overflow. Not that
18critical as they typically read overflows happening somewhere
19in the display code. So guests can DoS by crashing qemu with a
20segfault, but it is probably not possible to break out of the VM.
21
22Fixes: CVE-2016-3712
23Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
24Reported-by: P J P <ppandit@redhat.com>
25Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
26Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
27
28Upstream-Status: Backport
29CVE: CVE-2016-3712 patch4 ( the fix)
30Signed-off-by: Armin Kuster <akuster@mvista.com>
31
32---
33 hw/display/vga.c | 6 ++++++
34 1 file changed, 6 insertions(+)
35
36diff --git a/hw/display/vga.c b/hw/display/vga.c
37index 10ac7df..679070e 100644
38--- a/hw/display/vga.c
39+++ b/hw/display/vga.c
40@@ -140,6 +140,8 @@ static uint32_t expand4[256];
41 static uint16_t expand2[256];
42 static uint8_t expand4to8[16];
43
44+static void vbe_update_vgaregs(VGACommonState *s);
45+
46 static inline bool vbe_enabled(VGACommonState *s)
47 {
48 return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
49@@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
50 printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
51 #endif
52 s->sr[s->sr_index] = val & sr_mask[s->sr_index];
53+ vbe_update_vgaregs(s);
54 if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
55 s->update_retrace_info(s);
56 }
57@@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
58 printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
59 #endif
60 s->gr[s->gr_index] = val & gr_mask[s->gr_index];
61+ vbe_update_vgaregs(s);
62 vga_update_memory_access(s);
63 break;
64 case VGA_CRT_IM:
65@@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
66 if (s->cr_index == VGA_CRTC_OVERFLOW) {
67 s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |
68 (val & 0x10);
69+ vbe_update_vgaregs(s);
70 }
71 return;
72 }
73 s->cr[s->cr_index] = val;
74+ vbe_update_vgaregs(s);
75
76 switch(s->cr_index) {
77 case VGA_CRTC_H_TOTAL:
78--
792.7.4
80
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.1.bb b/meta/recipes-devtools/qemu/qemu_2.5.1.1.bb
index 528e546..bd6beaf 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.1.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.1.1.bb
@@ -13,11 +13,6 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
13 file://rng_remove_the_unused_request_cancellation_code.patch \ 13 file://rng_remove_the_unused_request_cancellation_code.patch \
14 file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \ 14 file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \
15 file://CVE-2016-2858.patch \ 15 file://CVE-2016-2858.patch \
16 file://CVE-2016-3710.patch \
17 file://CVE-2016-3712_p1.patch \
18 file://CVE-2016-3712_p2.patch \
19 file://CVE-2016-3712_p3.patch \
20 file://CVE-2016-3712_p4.patch \
21 file://CVE-2016-4439.patch \ 16 file://CVE-2016-4439.patch \
22 file://CVE-2016-6351_p1.patch \ 17 file://CVE-2016-6351_p1.patch \
23 file://CVE-2016-6351_p2.patch \ 18 file://CVE-2016-6351_p2.patch \
@@ -27,8 +22,8 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
27 file://CVE-2016-4952.patch \ 22 file://CVE-2016-4952.patch \
28 " 23 "
29SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 24SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
30SRC_URI[md5sum] = "42e73182dea8b9213fa7050e168a4615" 25SRC_URI[md5sum] = "f5ff0e71398b9e428b4f177001ba4285"
31SRC_URI[sha256sum] = "028752c33bb786abbfe496ba57315dc5a7d0a33b5a7a767f6d7a29020c525d2c" 26SRC_URI[sha256sum] = "28d9946e43765a44ccccca3cba5f4f9034f2759ec1f2ce16594ddb6776c8efe6"
32 27
33COMPATIBLE_HOST_class-target_mips64 = "null" 28COMPATIBLE_HOST_class-target_mips64 = "null"
34 29