qemu: Security fixes

Fix CVE-2017-13672, CVE-2017-13673, CVE-2017-13711, CVE-2017-14167 References: https://nvd.nist.gov/vuln/detail/CVE-2017-13672 https://nvd.nist.gov/vuln/detail/CVE-2017-13673 https://nvd.nist.gov/vuln/detail/CVE-2017-13711 https://nvd.nist.gov/vuln/detail/CVE-2017-14167 Patches from: CVE-2017-13672: https://git.qemu.org/?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681 CVE-2017-13673: https://git.qemu.org/?p=qemu.git;a=commit;h=e65294157d4b69393b3f819c99f4f647452b48e3 CVE-2017-13711: https://git.qemu.org/?p=qemu.git;a=commit;h=1201d308519f1e915866d7583d5136d03cc1d384 CVE-2017-14167: https://git.qemu.org/?p=qemu.git;a=commit;h=ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb (From OE-Core rev: acc5036a6b74a76d719e6f7224a398f47df4a041) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2017-09-21 08:34:37 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-09-22 17:15:30 +0100
commit: 4db9f488546fda5eb287a1337bd7213005aed864 (patch)
tree: 16571ee495f7b8457742754df12fc954e13c1429 /meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch
parent: bbe55428976d1f486bf232f654cc055b87e369e0 (diff)
download: poky-4db9f488546fda5eb287a1337bd7213005aed864.tar.gz
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch
new file mode 100644
index 0000000000..3d0695fd66
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch
@@ -0,0 +1,53 @@
+From e65294157d4b69393b3f819c99f4f647452b48e3 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 28 Aug 2017 14:33:07 +0200
+Subject: [PATCH] vga: fix display update region calculation (split screen)
+vga display update mis-calculated the region for the dirty bitmap
+snapshot in case split screen mode is used.  This can trigger an
+assert in cpu_physical_memory_snapshot_get_dirty().
+Impact:  DoS for privileged guest users.
+Fixes: CVE-2017-13673
+Fixes: fec5e8c92becad223df9d972770522f64aafdb72
+Cc: P J P <ppandit@redhat.com>
+Reported-by: David Buchanan <d@vidbuchanan.co.uk>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20170828123307.15392-1-kraxel@redhat.com
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=e65294157d4b69393b3f819c99f4f647452b48e3]
+CVE: CVE-2017-13673
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ hw/display/vga.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 3433102..ad7a465 100644
+--- a/hw/display/vga.c
+++ b/hw/display/vga.c
+@@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     y1 = 0;
+ 
+     if (!full_update) {
+        ram_addr_t region_start = addr1;
+        ram_addr_t region_end = addr1 + line_offset * height;
+         vga_sync_dirty_bitmap(s);
+-        snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1,
+-                                                      line_offset * height,
+        if (s->line_compare < height) {
+            /* split screen mode */
+            region_start = 0;
+        }
+        snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
+                                                      region_end - region_start,
+                                                       DIRTY_MEMORY_VGA);
+     }
+ 
+-- 
+2.7.4
author	Yi Zhao <yi.zhao@windriver.com>	2017-09-21 08:34:37 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-09-22 17:15:30 +0100
commit	4db9f488546fda5eb287a1337bd7213005aed864 (patch)
tree	16571ee495f7b8457742754df12fc954e13c1429 /meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch
parent	bbe55428976d1f486bf232f654cc055b87e369e0 (diff)
download	poky-4db9f488546fda5eb287a1337bd7213005aed864.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch new file mode 100644 index 0000000000..3d0695fd66 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch
@@ -0,0 +1,53 @@
	1	From e65294157d4b69393b3f819c99f4f647452b48e3 Mon Sep 17 00:00:00 2001
	2	From: Gerd Hoffmann <kraxel@redhat.com>
	3	Date: Mon, 28 Aug 2017 14:33:07 +0200
	4	Subject: [PATCH] vga: fix display update region calculation (split screen)
	5
	6	vga display update mis-calculated the region for the dirty bitmap
	7	snapshot in case split screen mode is used. This can trigger an
	8	assert in cpu_physical_memory_snapshot_get_dirty().
	9
	10	Impact: DoS for privileged guest users.
	11
	12	Fixes: CVE-2017-13673
	13	Fixes: fec5e8c92becad223df9d972770522f64aafdb72
	14	Cc: P J P <ppandit@redhat.com>
	15	Reported-by: David Buchanan <d@vidbuchanan.co.uk>
	16	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	17	Message-id: 20170828123307.15392-1-kraxel@redhat.com
	18
	19	Upstream-Status: Backport
	20	[https://git.qemu.org/?p=qemu.git;a=commit;h=e65294157d4b69393b3f819c99f4f647452b48e3]
	21
	22	CVE: CVE-2017-13673
	23
	24	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	25	---
	26	hw/display/vga.c \| 10 ++++++++--
	27	1 file changed, 8 insertions(+), 2 deletions(-)
	28
	29	diff --git a/hw/display/vga.c b/hw/display/vga.c
	30	index 3433102..ad7a465 100644
	31	--- a/hw/display/vga.c
	32	+++ b/hw/display/vga.c
	33	@@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
	34	y1 = 0;
	35
	36	if (!full_update) {
	37	+ ram_addr_t region_start = addr1;
	38	+ ram_addr_t region_end = addr1 + line_offset * height;
	39	vga_sync_dirty_bitmap(s);
	40	- snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1,
	41	- line_offset * height,
	42	+ if (s->line_compare < height) {
	43	+ /* split screen mode */
	44	+ region_start = 0;
	45	+ }
	46	+ snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
	47	+ region_end - region_start,
	48	DIRTY_MEMORY_VGA);
	49	}
	50
	51	--
	52	2.7.4
	53