diff options
author | Armin Kuster <akuster@mvista.com> | 2016-09-19 18:12:42 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-23 23:22:04 +0100 |
commit | 98e7d8a9a0da4e63fa4754838ab7e4ff3c119da4 (patch) | |
tree | 0696bef640641d37d72197ddcb54ce4b9d32bc2b /meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch | |
parent | ffa3a07ac11f7affc63c00da965523c717389877 (diff) | |
download | poky-98e7d8a9a0da4e63fa4754838ab7e4ff3c119da4.tar.gz |
qemu: Security Fix CVE-2016-3712
affects qemu < 2.6.0
(From OE-Core rev: 6f25d966c41df5315d253859d9ebf231963bf671)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch new file mode 100644 index 0000000000..11330d766d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch | |||
@@ -0,0 +1,132 @@ | |||
1 | From 2f2f74e87c15e830f5a4dda7a166effcab5047ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Tue, 26 Apr 2016 15:24:18 +0200 | ||
4 | Subject: [PATCH 2/4] vga: factor out vga register setup | ||
5 | |||
6 | When enabling vbe mode qemu will setup a bunch of vga registers to make | ||
7 | sure the vga emulation operates in correct mode for a linear | ||
8 | framebuffer. Move that code to a separate function so we can call it | ||
9 | from other places too. | ||
10 | |||
11 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
12 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2016-3712 patch2 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------ | ||
20 | 1 file changed, 44 insertions(+), 34 deletions(-) | ||
21 | |||
22 | diff --git a/hw/display/vga.c b/hw/display/vga.c | ||
23 | index cc1a682..f1987e3 100644 | ||
24 | --- a/hw/display/vga.c | ||
25 | +++ b/hw/display/vga.c | ||
26 | @@ -642,6 +642,49 @@ static void vbe_fixup_regs(VGACommonState *s) | ||
27 | s->vbe_start_addr = offset / 4; | ||
28 | } | ||
29 | |||
30 | +/* we initialize the VGA graphic mode */ | ||
31 | +static void vbe_update_vgaregs(VGACommonState *s) | ||
32 | +{ | ||
33 | + int h, shift_control; | ||
34 | + | ||
35 | + if (!vbe_enabled(s)) { | ||
36 | + /* vbe is turned off -- nothing to do */ | ||
37 | + return; | ||
38 | + } | ||
39 | + | ||
40 | + /* graphic mode + memory map 1 */ | ||
41 | + s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | | ||
42 | + VGA_GR06_GRAPHICS_MODE; | ||
43 | + s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ | ||
44 | + s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; | ||
45 | + /* width */ | ||
46 | + s->cr[VGA_CRTC_H_DISP] = | ||
47 | + (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; | ||
48 | + /* height (only meaningful if < 1024) */ | ||
49 | + h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; | ||
50 | + s->cr[VGA_CRTC_V_DISP_END] = h; | ||
51 | + s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | | ||
52 | + ((h >> 7) & 0x02) | ((h >> 3) & 0x40); | ||
53 | + /* line compare to 1023 */ | ||
54 | + s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; | ||
55 | + s->cr[VGA_CRTC_OVERFLOW] |= 0x10; | ||
56 | + s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; | ||
57 | + | ||
58 | + if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { | ||
59 | + shift_control = 0; | ||
60 | + s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ | ||
61 | + } else { | ||
62 | + shift_control = 2; | ||
63 | + /* set chain 4 mode */ | ||
64 | + s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; | ||
65 | + /* activate all planes */ | ||
66 | + s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; | ||
67 | + } | ||
68 | + s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | | ||
69 | + (shift_control << 5); | ||
70 | + s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ | ||
71 | +} | ||
72 | + | ||
73 | static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr) | ||
74 | { | ||
75 | VGACommonState *s = opaque; | ||
76 | @@ -728,52 +771,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) | ||
77 | case VBE_DISPI_INDEX_ENABLE: | ||
78 | if ((val & VBE_DISPI_ENABLED) && | ||
79 | !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { | ||
80 | - int h, shift_control; | ||
81 | |||
82 | s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0; | ||
83 | s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0; | ||
84 | s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0; | ||
85 | s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED; | ||
86 | vbe_fixup_regs(s); | ||
87 | + vbe_update_vgaregs(s); | ||
88 | |||
89 | /* clear the screen */ | ||
90 | if (!(val & VBE_DISPI_NOCLEARMEM)) { | ||
91 | memset(s->vram_ptr, 0, | ||
92 | s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); | ||
93 | } | ||
94 | - | ||
95 | - /* we initialize the VGA graphic mode */ | ||
96 | - /* graphic mode + memory map 1 */ | ||
97 | - s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | | ||
98 | - VGA_GR06_GRAPHICS_MODE; | ||
99 | - s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ | ||
100 | - s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; | ||
101 | - /* width */ | ||
102 | - s->cr[VGA_CRTC_H_DISP] = | ||
103 | - (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; | ||
104 | - /* height (only meaningful if < 1024) */ | ||
105 | - h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; | ||
106 | - s->cr[VGA_CRTC_V_DISP_END] = h; | ||
107 | - s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | | ||
108 | - ((h >> 7) & 0x02) | ((h >> 3) & 0x40); | ||
109 | - /* line compare to 1023 */ | ||
110 | - s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; | ||
111 | - s->cr[VGA_CRTC_OVERFLOW] |= 0x10; | ||
112 | - s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; | ||
113 | - | ||
114 | - if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { | ||
115 | - shift_control = 0; | ||
116 | - s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ | ||
117 | - } else { | ||
118 | - shift_control = 2; | ||
119 | - /* set chain 4 mode */ | ||
120 | - s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; | ||
121 | - /* activate all planes */ | ||
122 | - s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; | ||
123 | - } | ||
124 | - s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | | ||
125 | - (shift_control << 5); | ||
126 | - s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ | ||
127 | } else { | ||
128 | s->bank_offset = 0; | ||
129 | } | ||
130 | -- | ||
131 | 2.7.4 | ||
132 | |||