summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2017-09-21 08:34:37 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-22 17:15:30 +0100
commit4db9f488546fda5eb287a1337bd7213005aed864 (patch)
tree16571ee495f7b8457742754df12fc954e13c1429 /meta/recipes-devtools/qemu
parentbbe55428976d1f486bf232f654cc055b87e369e0 (diff)
downloadpoky-4db9f488546fda5eb287a1337bd7213005aed864.tar.gz
qemu: Security fixes
Fix CVE-2017-13672, CVE-2017-13673, CVE-2017-13711, CVE-2017-14167 References: https://nvd.nist.gov/vuln/detail/CVE-2017-13672 https://nvd.nist.gov/vuln/detail/CVE-2017-13673 https://nvd.nist.gov/vuln/detail/CVE-2017-13711 https://nvd.nist.gov/vuln/detail/CVE-2017-14167 Patches from: CVE-2017-13672: https://git.qemu.org/?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681 CVE-2017-13673: https://git.qemu.org/?p=qemu.git;a=commit;h=e65294157d4b69393b3f819c99f4f647452b48e3 CVE-2017-13711: https://git.qemu.org/?p=qemu.git;a=commit;h=1201d308519f1e915866d7583d5136d03cc1d384 CVE-2017-14167: https://git.qemu.org/?p=qemu.git;a=commit;h=ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb (From OE-Core rev: acc5036a6b74a76d719e6f7224a398f47df4a041) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch504
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch87
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch70
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.10.0.bb4
5 files changed, 718 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch
new file mode 100644
index 0000000000..ce0b1ee3ed
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch
@@ -0,0 +1,504 @@
1From 3d90c6254863693a6b13d918d2b8682e08bbc681 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Mon, 28 Aug 2017 14:29:06 +0200
4Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions
5
6Instead pass around the address (aka offset into vga memory).
7Add vga_read_* helper functions which apply vbe_size_mask to
8the address, to make sure the address stays within the valid
9range, similar to the cirrus blitter fixes (commits ffaf857778
10and 026aeffcb4).
11
12Impact: DoS for privileged guest users. qemu crashes with
13a segfault, when hitting the guard page after vga memory
14allocation, while reading vga memory for display updates.
15
16Fixes: CVE-2017-13672
17Cc: P J P <ppandit@redhat.com>
18Reported-by: David Buchanan <d@vidbuchanan.co.uk>
19Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
20Message-id: 20170828122906.18993-1-kraxel@redhat.com
21
22Upstream-Status: Backport
23[https://git.qemu.org/?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681]
24
25CVE: CVE-2017-13672
26
27Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
28---
29 hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++---------------------
30 hw/display/vga.c | 5 +-
31 hw/display/vga_int.h | 1 +
32 3 files changed, 114 insertions(+), 94 deletions(-)
33
34diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h
35index 94f6de2..5a752b3 100644
36--- a/hw/display/vga-helpers.h
37+++ b/hw/display/vga-helpers.h
38@@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize,
39 } while (--h);
40 }
41
42+static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
43+{
44+ return vga->vram_ptr[addr & vga->vbe_size_mask];
45+}
46+
47+static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
48+{
49+ uint32_t offset = addr & vga->vbe_size_mask & ~1;
50+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
51+ return lduw_le_p(ptr);
52+}
53+
54+static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
55+{
56+ uint32_t offset = addr & vga->vbe_size_mask & ~1;
57+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
58+ return lduw_be_p(ptr);
59+}
60+
61+static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
62+{
63+ uint32_t offset = addr & vga->vbe_size_mask & ~3;
64+ uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
65+ return ldl_le_p(ptr);
66+}
67+
68 /*
69 * 4 color mode
70 */
71-static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
72- const uint8_t *s, int width)
73+static void vga_draw_line2(VGACommonState *vga, uint8_t *d,
74+ uint32_t addr, int width)
75 {
76 uint32_t plane_mask, *palette, data, v;
77 int x;
78
79- palette = s1->last_palette;
80- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
81+ palette = vga->last_palette;
82+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
83 width >>= 3;
84 for(x = 0; x < width; x++) {
85- data = ((uint32_t *)s)[0];
86+ data = vga_read_dword_le(vga, addr);
87 data &= plane_mask;
88 v = expand2[GET_PLANE(data, 0)];
89 v |= expand2[GET_PLANE(data, 2)] << 2;
90@@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
91 ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];
92 ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];
93 d += 32;
94- s += 4;
95+ addr += 4;
96 }
97 }
98
99@@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
100 /*
101 * 4 color mode, dup2 horizontal
102 */
103-static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,
104- const uint8_t *s, int width)
105+static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d,
106+ uint32_t addr, int width)
107 {
108 uint32_t plane_mask, *palette, data, v;
109 int x;
110
111- palette = s1->last_palette;
112- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
113+ palette = vga->last_palette;
114+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
115 width >>= 3;
116 for(x = 0; x < width; x++) {
117- data = ((uint32_t *)s)[0];
118+ data = vga_read_dword_le(vga, addr);
119 data &= plane_mask;
120 v = expand2[GET_PLANE(data, 0)];
121 v |= expand2[GET_PLANE(data, 2)] << 2;
122@@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,
123 PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
124 PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
125 d += 64;
126- s += 4;
127+ addr += 4;
128 }
129 }
130
131 /*
132 * 16 color mode
133 */
134-static void vga_draw_line4(VGACommonState *s1, uint8_t *d,
135- const uint8_t *s, int width)
136+static void vga_draw_line4(VGACommonState *vga, uint8_t *d,
137+ uint32_t addr, int width)
138 {
139 uint32_t plane_mask, data, v, *palette;
140 int x;
141
142- palette = s1->last_palette;
143- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
144+ palette = vga->last_palette;
145+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
146 width >>= 3;
147 for(x = 0; x < width; x++) {
148- data = ((uint32_t *)s)[0];
149+ data = vga_read_dword_le(vga, addr);
150 data &= plane_mask;
151 v = expand4[GET_PLANE(data, 0)];
152 v |= expand4[GET_PLANE(data, 1)] << 1;
153@@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_t *d,
154 ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];
155 ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];
156 d += 32;
157- s += 4;
158+ addr += 4;
159 }
160 }
161
162 /*
163 * 16 color mode, dup2 horizontal
164 */
165-static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
166- const uint8_t *s, int width)
167+static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d,
168+ uint32_t addr, int width)
169 {
170 uint32_t plane_mask, data, v, *palette;
171 int x;
172
173- palette = s1->last_palette;
174- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
175+ palette = vga->last_palette;
176+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
177 width >>= 3;
178 for(x = 0; x < width; x++) {
179- data = ((uint32_t *)s)[0];
180+ data = vga_read_dword_le(vga, addr);
181 data &= plane_mask;
182 v = expand4[GET_PLANE(data, 0)];
183 v |= expand4[GET_PLANE(data, 1)] << 1;
184@@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
185 PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
186 PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
187 d += 64;
188- s += 4;
189+ addr += 4;
190 }
191 }
192
193@@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
194 *
195 * XXX: add plane_mask support (never used in standard VGA modes)
196 */
197-static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,
198- const uint8_t *s, int width)
199+static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d,
200+ uint32_t addr, int width)
201 {
202 uint32_t *palette;
203 int x;
204
205- palette = s1->last_palette;
206+ palette = vga->last_palette;
207 width >>= 3;
208 for(x = 0; x < width; x++) {
209- PUT_PIXEL2(d, 0, palette[s[0]]);
210- PUT_PIXEL2(d, 1, palette[s[1]]);
211- PUT_PIXEL2(d, 2, palette[s[2]]);
212- PUT_PIXEL2(d, 3, palette[s[3]]);
213+ PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]);
214+ PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]);
215+ PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]);
216+ PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]);
217 d += 32;
218- s += 4;
219+ addr += 4;
220 }
221 }
222
223@@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,
224 *
225 * XXX: add plane_mask support (never used in standard VGA modes)
226 */
227-static void vga_draw_line8(VGACommonState *s1, uint8_t *d,
228- const uint8_t *s, int width)
229+static void vga_draw_line8(VGACommonState *vga, uint8_t *d,
230+ uint32_t addr, int width)
231 {
232 uint32_t *palette;
233 int x;
234
235- palette = s1->last_palette;
236+ palette = vga->last_palette;
237 width >>= 3;
238 for(x = 0; x < width; x++) {
239- ((uint32_t *)d)[0] = palette[s[0]];
240- ((uint32_t *)d)[1] = palette[s[1]];
241- ((uint32_t *)d)[2] = palette[s[2]];
242- ((uint32_t *)d)[3] = palette[s[3]];
243- ((uint32_t *)d)[4] = palette[s[4]];
244- ((uint32_t *)d)[5] = palette[s[5]];
245- ((uint32_t *)d)[6] = palette[s[6]];
246- ((uint32_t *)d)[7] = palette[s[7]];
247+ ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)];
248+ ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)];
249+ ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)];
250+ ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)];
251+ ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)];
252+ ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)];
253+ ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)];
254+ ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)];
255 d += 32;
256- s += 8;
257+ addr += 8;
258 }
259 }
260
261 /*
262 * 15 bit color
263 */
264-static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d,
265- const uint8_t *s, int width)
266+static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d,
267+ uint32_t addr, int width)
268 {
269 int w;
270 uint32_t v, r, g, b;
271
272 w = width;
273 do {
274- v = lduw_le_p((void *)s);
275+ v = vga_read_word_le(vga, addr);
276 r = (v >> 7) & 0xf8;
277 g = (v >> 2) & 0xf8;
278 b = (v << 3) & 0xf8;
279 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
280- s += 2;
281+ addr += 2;
282 d += 4;
283 } while (--w != 0);
284 }
285
286-static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,
287- const uint8_t *s, int width)
288+static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d,
289+ uint32_t addr, int width)
290 {
291 int w;
292 uint32_t v, r, g, b;
293
294 w = width;
295 do {
296- v = lduw_be_p((void *)s);
297+ v = vga_read_word_be(vga, addr);
298 r = (v >> 7) & 0xf8;
299 g = (v >> 2) & 0xf8;
300 b = (v << 3) & 0xf8;
301 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
302- s += 2;
303+ addr += 2;
304 d += 4;
305 } while (--w != 0);
306 }
307@@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,
308 /*
309 * 16 bit color
310 */
311-static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d,
312- const uint8_t *s, int width)
313+static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d,
314+ uint32_t addr, int width)
315 {
316 int w;
317 uint32_t v, r, g, b;
318
319 w = width;
320 do {
321- v = lduw_le_p((void *)s);
322+ v = vga_read_word_le(vga, addr);
323 r = (v >> 8) & 0xf8;
324 g = (v >> 3) & 0xfc;
325 b = (v << 3) & 0xf8;
326 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
327- s += 2;
328+ addr += 2;
329 d += 4;
330 } while (--w != 0);
331 }
332
333-static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,
334- const uint8_t *s, int width)
335+static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d,
336+ uint32_t addr, int width)
337 {
338 int w;
339 uint32_t v, r, g, b;
340
341 w = width;
342 do {
343- v = lduw_be_p((void *)s);
344+ v = vga_read_word_be(vga, addr);
345 r = (v >> 8) & 0xf8;
346 g = (v >> 3) & 0xfc;
347 b = (v << 3) & 0xf8;
348 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
349- s += 2;
350+ addr += 2;
351 d += 4;
352 } while (--w != 0);
353 }
354@@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,
355 /*
356 * 24 bit color
357 */
358-static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d,
359- const uint8_t *s, int width)
360+static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d,
361+ uint32_t addr, int width)
362 {
363 int w;
364 uint32_t r, g, b;
365
366 w = width;
367 do {
368- b = s[0];
369- g = s[1];
370- r = s[2];
371+ b = vga_read_byte(vga, addr + 0);
372+ g = vga_read_byte(vga, addr + 1);
373+ r = vga_read_byte(vga, addr + 2);
374 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
375- s += 3;
376+ addr += 3;
377 d += 4;
378 } while (--w != 0);
379 }
380
381-static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,
382- const uint8_t *s, int width)
383+static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d,
384+ uint32_t addr, int width)
385 {
386 int w;
387 uint32_t r, g, b;
388
389 w = width;
390 do {
391- r = s[0];
392- g = s[1];
393- b = s[2];
394+ r = vga_read_byte(vga, addr + 0);
395+ g = vga_read_byte(vga, addr + 1);
396+ b = vga_read_byte(vga, addr + 2);
397 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
398- s += 3;
399+ addr += 3;
400 d += 4;
401 } while (--w != 0);
402 }
403@@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,
404 /*
405 * 32 bit color
406 */
407-static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d,
408- const uint8_t *s, int width)
409+static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d,
410+ uint32_t addr, int width)
411 {
412-#ifndef HOST_WORDS_BIGENDIAN
413- memcpy(d, s, width * 4);
414-#else
415 int w;
416 uint32_t r, g, b;
417
418 w = width;
419 do {
420- b = s[0];
421- g = s[1];
422- r = s[2];
423+ b = vga_read_byte(vga, addr + 0);
424+ g = vga_read_byte(vga, addr + 1);
425+ r = vga_read_byte(vga, addr + 2);
426 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
427- s += 4;
428+ addr += 4;
429 d += 4;
430 } while (--w != 0);
431-#endif
432 }
433
434-static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d,
435- const uint8_t *s, int width)
436+static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d,
437+ uint32_t addr, int width)
438 {
439-#ifdef HOST_WORDS_BIGENDIAN
440- memcpy(d, s, width * 4);
441-#else
442 int w;
443 uint32_t r, g, b;
444
445 w = width;
446 do {
447- r = s[1];
448- g = s[2];
449- b = s[3];
450+ r = vga_read_byte(vga, addr + 1);
451+ g = vga_read_byte(vga, addr + 2);
452+ b = vga_read_byte(vga, addr + 3);
453 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
454- s += 4;
455+ addr += 4;
456 d += 4;
457 } while (--w != 0);
458-#endif
459 }
460diff --git a/hw/display/vga.c b/hw/display/vga.c
461index ad7a465..6fc8c87 100644
462--- a/hw/display/vga.c
463+++ b/hw/display/vga.c
464@@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
465 }
466
467 typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,
468- const uint8_t *s, int width);
469+ uint32_t srcaddr, int width);
470
471 #include "vga-helpers.h"
472
473@@ -1666,7 +1666,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
474 if (y_start < 0)
475 y_start = y;
476 if (!(is_buffer_shared(surface))) {
477- vga_draw_line(s, d, s->vram_ptr + addr, width);
478+ vga_draw_line(s, d, addr, width);
479 if (s->cursor_draw_line)
480 s->cursor_draw_line(s, d, y);
481 }
482@@ -2170,6 +2170,7 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate)
483 if (!s->vbe_size) {
484 s->vbe_size = s->vram_size;
485 }
486+ s->vbe_size_mask = s->vbe_size - 1;
487
488 s->is_vbe_vmstate = 1;
489 memory_region_init_ram_nomigrate(&s->vram, obj, "vga.vram", s->vram_size,
490diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
491index dd6c958..ad34a1f 100644
492--- a/hw/display/vga_int.h
493+++ b/hw/display/vga_int.h
494@@ -94,6 +94,7 @@ typedef struct VGACommonState {
495 uint32_t vram_size;
496 uint32_t vram_size_mb; /* property */
497 uint32_t vbe_size;
498+ uint32_t vbe_size_mask;
499 uint32_t latch;
500 bool has_chain4_alias;
501 MemoryRegion chain4_alias;
502--
5032.7.4
504
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch
new file mode 100644
index 0000000000..3d0695fd66
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch
@@ -0,0 +1,53 @@
1From e65294157d4b69393b3f819c99f4f647452b48e3 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Mon, 28 Aug 2017 14:33:07 +0200
4Subject: [PATCH] vga: fix display update region calculation (split screen)
5
6vga display update mis-calculated the region for the dirty bitmap
7snapshot in case split screen mode is used. This can trigger an
8assert in cpu_physical_memory_snapshot_get_dirty().
9
10Impact: DoS for privileged guest users.
11
12Fixes: CVE-2017-13673
13Fixes: fec5e8c92becad223df9d972770522f64aafdb72
14Cc: P J P <ppandit@redhat.com>
15Reported-by: David Buchanan <d@vidbuchanan.co.uk>
16Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
17Message-id: 20170828123307.15392-1-kraxel@redhat.com
18
19Upstream-Status: Backport
20[https://git.qemu.org/?p=qemu.git;a=commit;h=e65294157d4b69393b3f819c99f4f647452b48e3]
21
22CVE: CVE-2017-13673
23
24Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
25---
26 hw/display/vga.c | 10 ++++++++--
27 1 file changed, 8 insertions(+), 2 deletions(-)
28
29diff --git a/hw/display/vga.c b/hw/display/vga.c
30index 3433102..ad7a465 100644
31--- a/hw/display/vga.c
32+++ b/hw/display/vga.c
33@@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
34 y1 = 0;
35
36 if (!full_update) {
37+ ram_addr_t region_start = addr1;
38+ ram_addr_t region_end = addr1 + line_offset * height;
39 vga_sync_dirty_bitmap(s);
40- snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1,
41- line_offset * height,
42+ if (s->line_compare < height) {
43+ /* split screen mode */
44+ region_start = 0;
45+ }
46+ snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
47+ region_end - region_start,
48 DIRTY_MEMORY_VGA);
49 }
50
51--
522.7.4
53
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch
new file mode 100644
index 0000000000..352f73f624
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch
@@ -0,0 +1,87 @@
1From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001
2From: Samuel Thibault <samuel.thibault@ens-lyon.org>
3Date: Fri, 25 Aug 2017 01:35:53 +0200
4Subject: [PATCH] slirp: fix clearing ifq_so from pending packets
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The if_fastq and if_batchq contain not only packets, but queues of packets
10for the same socket. When sofree frees a socket, it thus has to clear ifq_so
11from all the packets from the queues, not only the first.
12
13Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
14Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
15Cc: qemu-stable@nongnu.org
16Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
17
18Upstream-Status: Backport
19[https://git.qemu.org/?p=qemu.git;a=commit;h=1201d308519f1e915866d7583d5136d03cc1d384]
20
21CVE: CVE-2017-13711
22
23Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
24---
25 slirp/socket.c | 39 +++++++++++++++++++++++----------------
26 1 file changed, 23 insertions(+), 16 deletions(-)
27
28diff --git a/slirp/socket.c b/slirp/socket.c
29index ecec029..cb7b5b6 100644
30--- a/slirp/socket.c
31+++ b/slirp/socket.c
32@@ -60,29 +60,36 @@ socreate(Slirp *slirp)
33 }
34
35 /*
36+ * Remove references to so from the given message queue.
37+ */
38+static void
39+soqfree(struct socket *so, struct quehead *qh)
40+{
41+ struct mbuf *ifq;
42+
43+ for (ifq = (struct mbuf *) qh->qh_link;
44+ (struct quehead *) ifq != qh;
45+ ifq = ifq->ifq_next) {
46+ if (ifq->ifq_so == so) {
47+ struct mbuf *ifm;
48+ ifq->ifq_so = NULL;
49+ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) {
50+ ifm->ifq_so = NULL;
51+ }
52+ }
53+ }
54+}
55+
56+/*
57 * remque and free a socket, clobber cache
58 */
59 void
60 sofree(struct socket *so)
61 {
62 Slirp *slirp = so->slirp;
63- struct mbuf *ifm;
64
65- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link;
66- (struct quehead *) ifm != &slirp->if_fastq;
67- ifm = ifm->ifq_next) {
68- if (ifm->ifq_so == so) {
69- ifm->ifq_so = NULL;
70- }
71- }
72-
73- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link;
74- (struct quehead *) ifm != &slirp->if_batchq;
75- ifm = ifm->ifq_next) {
76- if (ifm->ifq_so == so) {
77- ifm->ifq_so = NULL;
78- }
79- }
80+ soqfree(so, &slirp->if_fastq);
81+ soqfree(so, &slirp->if_batchq);
82
83 if (so->so_emu==EMU_RSH && so->extra) {
84 sofree(so->extra);
85--
862.7.4
87
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch
new file mode 100644
index 0000000000..969ad877d6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch
@@ -0,0 +1,70 @@
1From ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 7 Sep 2017 12:02:56 +0530
4Subject: [PATCH] multiboot: validate multiboot header address values
5
6While loading kernel via multiboot-v1 image, (flags & 0x00010000)
7indicates that multiboot header contains valid addresses to load
8the kernel image. These addresses are used to compute kernel
9size and kernel text offset in the OS image. Validate these
10address values to avoid an OOB access issue.
11
12This is CVE-2017-14167.
13
14Reported-by: Thomas Garnier <thgarnie@google.com>
15Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
16Message-Id: <20170907063256.7418-1-ppandit@redhat.com>
17Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
18
19Upstream-Status: Backport
20[https://git.qemu.org/?p=qemu.git;a=commit;h=ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb]
21
22CVE: CVE-2017-14167
23
24Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
25---
26 hw/i386/multiboot.c | 19 +++++++++++++++++++
27 1 file changed, 19 insertions(+)
28
29diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
30index 6001f4c..c7b70c9 100644
31--- a/hw/i386/multiboot.c
32+++ b/hw/i386/multiboot.c
33@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
34 uint32_t mh_header_addr = ldl_p(header+i+12);
35 uint32_t mh_load_end_addr = ldl_p(header+i+20);
36 uint32_t mh_bss_end_addr = ldl_p(header+i+24);
37+
38 mh_load_addr = ldl_p(header+i+16);
39+ if (mh_header_addr < mh_load_addr) {
40+ fprintf(stderr, "invalid mh_load_addr address\n");
41+ exit(1);
42+ }
43+
44 uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
45 uint32_t mb_load_size = 0;
46 mh_entry_addr = ldl_p(header+i+28);
47
48 if (mh_load_end_addr) {
49+ if (mh_bss_end_addr < mh_load_addr) {
50+ fprintf(stderr, "invalid mh_bss_end_addr address\n");
51+ exit(1);
52+ }
53 mb_kernel_size = mh_bss_end_addr - mh_load_addr;
54+
55+ if (mh_load_end_addr < mh_load_addr) {
56+ fprintf(stderr, "invalid mh_load_end_addr address\n");
57+ exit(1);
58+ }
59 mb_load_size = mh_load_end_addr - mh_load_addr;
60 } else {
61+ if (kernel_file_size < mb_kernel_text_offset) {
62+ fprintf(stderr, "invalid kernel_file_size\n");
63+ exit(1);
64+ }
65 mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
66 mb_load_size = mb_kernel_size;
67 }
68--
692.7.4
70
diff --git a/meta/recipes-devtools/qemu/qemu_2.10.0.bb b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
index 835577a603..75e2a259fa 100644
--- a/meta/recipes-devtools/qemu/qemu_2.10.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
@@ -24,6 +24,10 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
24 file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \ 24 file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \
25 file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS-v2.9.patch \ 25 file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS-v2.9.patch \
26 file://apic-fixup-fallthrough-to-PIC.patch \ 26 file://apic-fixup-fallthrough-to-PIC.patch \
27 file://CVE-2017-13711.patch \
28 file://CVE-2017-13673.patch \
29 file://CVE-2017-13672.patch \
30 file://CVE-2017-14167.patch \
27 " 31 "
28UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar" 32UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
29 33