qemu: Upgrade 2.5.1 -> 2.5.1.1

This is a minor upgrade only comes with security fixes in qemu VGA and UART code to avoid corruptions (CVE-2016-3710 and CVE-2016-3712). For review details, http://git.qemu.org/?p=qemu.git;a=log;h=v2.5.1.1 (From OE-Core rev: da522c0c248c9a8b10a90de4cd6e7e05367e637d) This patch is backported from upstream morty branch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/patch/?id=b0207e742542cc44086d612df0a216cc45875538 Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-05-10 14:17:32 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-05-11 15:28:43 +0200
commit: 71d585a8deafbeea66a517313d9ae10862484d22 (patch)
tree: 62f5374c4202f9885e855ef824ffe9e1231c1801 /meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
parent: 07c94f74cda62c672e7e80292f917a76e1214be0 (diff)
download: poky-71d585a8deafbeea66a517313d9ae10862484d22.tar.gz
1 files changed, 0 insertions, 80 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
deleted file mode 100644
index 96e980a58d..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 44b86aa32e4147c727fadd9a0f0bc503a5dedb72 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 26 Apr 2016 14:48:06 +0200
-Subject: [PATCH 4/4] vga: make sure vga register setup for vbe stays intact
- (CVE-2016-3712).
-Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
-registers, to make sure the vga registers will always have the
-values needed by vbe mode.  This makes sure the sanity checks
-applied by vbe_fixup_regs() are effective.
-Without this guests can muck with shift_control, can turn on planar
-vga modes or text mode emulation while VBE is active, making qemu
-take code paths meant for CGA compatibility, but with the very
-large display widths and heigts settable using VBE registers.
-Which is good for one or another buffer overflow.  Not that
-critical as they typically read overflows happening somewhere
-in the display code.  So guests can DoS by crashing qemu with a
-segfault, but it is probably not possible to break out of the VM.
-Fixes: CVE-2016-3712
-Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
-Reported-by: P J P <ppandit@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Upstream-Status: Backport
-CVE: CVE-2016-3712 patch4 ( the fix)
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- hw/display/vga.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-diff --git a/hw/display/vga.c b/hw/display/vga.c
-index 10ac7df..679070e 100644
--- a/hw/display/vga.c
-+++ b/hw/display/vga.c
-@@ -140,6 +140,8 @@ static uint32_t expand4[256];
- static uint16_t expand2[256];
- static uint8_t expand4to8[16];
- 
-+static void vbe_update_vgaregs(VGACommonState *s);
-+
- static inline bool vbe_enabled(VGACommonState *s)
- {
-     return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
-@@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
-         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
- #endif
-         s->sr[s->sr_index] = val & sr_mask[s->sr_index];
-+        vbe_update_vgaregs(s);
-         if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
-             s->update_retrace_info(s);
-         }
-@@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
-         printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
- #endif
-         s->gr[s->gr_index] = val & gr_mask[s->gr_index];
-+        vbe_update_vgaregs(s);
-         vga_update_memory_access(s);
-         break;
-     case VGA_CRT_IM:
-@@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
-             if (s->cr_index == VGA_CRTC_OVERFLOW) {
-                 s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |
-                     (val & 0x10);
-+                vbe_update_vgaregs(s);
-             }
-             return;
-         }
-         s->cr[s->cr_index] = val;
-+        vbe_update_vgaregs(s);
- 
-         switch(s->cr_index) {
-         case VGA_CRTC_H_TOTAL:
-- 
-2.7.4
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-05-10 14:17:32 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-05-11 15:28:43 +0200
commit	71d585a8deafbeea66a517313d9ae10862484d22 (patch)
tree	62f5374c4202f9885e855ef824ffe9e1231c1801 /meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
parent	07c94f74cda62c672e7e80292f917a76e1214be0 (diff)
download	poky-71d585a8deafbeea66a517313d9ae10862484d22.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch deleted file mode 100644 index 96e980a58d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch +++ /dev/null
@@ -1,80 +0,0 @@
1	From 44b86aa32e4147c727fadd9a0f0bc503a5dedb72 Mon Sep 17 00:00:00 2001
2	From: Gerd Hoffmann <kraxel@redhat.com>
3	Date: Tue, 26 Apr 2016 14:48:06 +0200
4	Subject: [PATCH 4/4] vga: make sure vga register setup for vbe stays intact
5	(CVE-2016-3712).
6
7	Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
8	registers, to make sure the vga registers will always have the
9	values needed by vbe mode. This makes sure the sanity checks
10	applied by vbe_fixup_regs() are effective.
11
12	Without this guests can muck with shift_control, can turn on planar
13	vga modes or text mode emulation while VBE is active, making qemu
14	take code paths meant for CGA compatibility, but with the very
15	large display widths and heigts settable using VBE registers.
16
17	Which is good for one or another buffer overflow. Not that
18	critical as they typically read overflows happening somewhere
19	in the display code. So guests can DoS by crashing qemu with a
20	segfault, but it is probably not possible to break out of the VM.
21
22	Fixes: CVE-2016-3712
23	Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
24	Reported-by: P J P <ppandit@redhat.com>
25	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
26	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
27
28	Upstream-Status: Backport
29	CVE: CVE-2016-3712 patch4 ( the fix)
30	Signed-off-by: Armin Kuster <akuster@mvista.com>
31
32	---
33	hw/display/vga.c \| 6 ++++++
34	1 file changed, 6 insertions(+)
35
36	diff --git a/hw/display/vga.c b/hw/display/vga.c
37	index 10ac7df..679070e 100644
38	--- a/hw/display/vga.c
39	+++ b/hw/display/vga.c
40	@@ -140,6 +140,8 @@ static uint32_t expand4[256];
41	static uint16_t expand2[256];
42	static uint8_t expand4to8[16];
43
44	+static void vbe_update_vgaregs(VGACommonState *s);
45	+
46	static inline bool vbe_enabled(VGACommonState *s)
47	{
48	return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
49	@@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
50	printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
51	#endif
52	s->sr[s->sr_index] = val & sr_mask[s->sr_index];
53	+ vbe_update_vgaregs(s);
54	if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
55	s->update_retrace_info(s);
56	}
57	@@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
58	printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
59	#endif
60	s->gr[s->gr_index] = val & gr_mask[s->gr_index];
61	+ vbe_update_vgaregs(s);
62	vga_update_memory_access(s);
63	break;
64	case VGA_CRT_IM:
65	@@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
66	if (s->cr_index == VGA_CRTC_OVERFLOW) {
67	s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) \|
68	(val & 0x10);
69	+ vbe_update_vgaregs(s);
70	}
71	return;
72	}
73	s->cr[s->cr_index] = val;
74	+ vbe_update_vgaregs(s);
75
76	switch(s->cr_index) {
77	case VGA_CRTC_H_TOTAL:
78	--
79	2.7.4
80