qemu: Security Fix CVE-2016-3710

affects Qemu < 2.6.0 (From OE-Core rev: aa366a5cb5c4ed84537381d71dd5e66514c575be) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-09-19 18:02:55 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-23 15:27:06 +0100
commit: 990b8e7919adefb4331d41a5e0d328fd1f0cefbc (patch)
tree: 1d7f7d28c0732811c7c2a59f90f38f97cadfaaec /meta
parent: db8258864e25a24e846bf982123d25655d33d4b3 (diff)
download: poky-990b8e7919adefb4331d41a5e0d328fd1f0cefbc.tar.gz
2 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
new file mode 100644
index 0000000000..d3cd52bd5f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
@@ -0,0 +1,112 @@
+From 4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 08:49:10 +0200
+Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710)
+vga allows banked access to video memory using the window at 0xa00000
+and it supports a different access modes with different address
+calculations.
+The VBE bochs extentions support banked access too, using the
+VBE_DISPI_INDEX_BANK register.  The code tries to take the different
+address calculations into account and applies different limits to
+VBE_DISPI_INDEX_BANK depending on the current access mode.
+Which is probably effective in stopping misprogramming by accident.
+But from a security point of view completely useless as an attacker
+can easily change access modes after setting the bank register.
+Drop the bogus check, add range checks to vga_mem_{readb,writeb}
+instead.
+Fixes: CVE-2016-3710
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Upstream-Status: Backport
+CVE: CVE-2016-3710
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/display/vga.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 9f68394..442fee9 100644
+--- a/hw/display/vga.c
+++ b/hw/display/vga.c
+@@ -177,6 +177,7 @@ static void vga_update_memory_access(VGACommonState *s)
+             size = 0x8000;
+             break;
+         }
+        assert(offset + size <= s->vram_size);
+         memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram),
+                                  "vga.chain4", &s->vram, offset, size);
+         memory_region_add_subregion_overlap(s->legacy_address_space, base,
+@@ -714,11 +715,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+             vbe_fixup_regs(s);
+             break;
+         case VBE_DISPI_INDEX_BANK:
+-            if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+-              val &= (s->vbe_bank_mask >> 2);
+-            } else {
+-              val &= s->vbe_bank_mask;
+-            }
+            val &= s->vbe_bank_mask;
+             s->vbe_regs[s->vbe_index] = val;
+             s->bank_offset = (val << 16);
+             vga_update_memory_access(s);
+@@ -817,13 +814,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
+ 
+     if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+         /* chain 4 mode : simplest access */
+        assert(addr < s->vram_size);
+         ret = s->vram_ptr[addr];
+     } else if (s->gr[VGA_GFX_MODE] & 0x10) {
+         /* odd/even mode (aka text mode mapping) */
+         plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
+-        ret = s->vram_ptr[((addr & ~1) << 1) | plane];
+        addr = ((addr & ~1) << 1) | plane;
+        if (addr >= s->vram_size) {
+            return 0xff;
+        }
+        ret = s->vram_ptr[addr];
+     } else {
+         /* standard VGA latched access */
+        if (addr * sizeof(uint32_t) >= s->vram_size) {
+            return 0xff;
+        }
+         s->latch = ((uint32_t *)s->vram_ptr)[addr];
+ 
+         if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
+@@ -880,6 +885,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         plane = addr & 3;
+         mask = (1 << plane);
+         if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+            assert(addr < s->vram_size);
+             s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+             printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
+@@ -893,6 +899,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         mask = (1 << plane);
+         if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+             addr = ((addr & ~1) << 1) | plane;
+            if (addr >= s->vram_size) {
+                return;
+            }
+             s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+             printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
+@@ -966,6 +975,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         mask = s->sr[VGA_SEQ_PLANE_WRITE];
+         s->plane_updated |= mask; /* only used to detect font change */
+         write_mask = mask16[mask];
+        if (addr * sizeof(uint32_t) >= s->vram_size) {
+            return;
+        }
+         ((uint32_t *)s->vram_ptr)[addr] =
+             (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) |
+             (val & write_mask);
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 03a6cbe331..7651e9a5ae 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -16,6 +16,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://rng_remove_the_unused_request_cancellation_code.patch \
            file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \
            file://CVE-2016-2858.patch \
+            file://CVE-2016-3710.patch \
           "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
author	Armin Kuster <akuster@mvista.com>	2016-09-19 18:02:55 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-09-23 15:27:06 +0100
commit	990b8e7919adefb4331d41a5e0d328fd1f0cefbc (patch)
tree	1d7f7d28c0732811c7c2a59f90f38f97cadfaaec /meta
parent	db8258864e25a24e846bf982123d25655d33d4b3 (diff)
download	poky-990b8e7919adefb4331d41a5e0d328fd1f0cefbc.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch new file mode 100644 index 0000000000..d3cd52bd5f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
@@ -0,0 +1,112 @@
		1	From 4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b Mon Sep 17 00:00:00 2001
		2	From: Gerd Hoffmann <kraxel@redhat.com>
		3	Date: Tue, 26 Apr 2016 08:49:10 +0200
		4	Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710)
		5
		6	vga allows banked access to video memory using the window at 0xa00000
		7	and it supports a different access modes with different address
		8	calculations.
		9
		10	The VBE bochs extentions support banked access too, using the
		11	VBE_DISPI_INDEX_BANK register. The code tries to take the different
		12	address calculations into account and applies different limits to
		13	VBE_DISPI_INDEX_BANK depending on the current access mode.
		14
		15	Which is probably effective in stopping misprogramming by accident.
		16	But from a security point of view completely useless as an attacker
		17	can easily change access modes after setting the bank register.
		18
		19	Drop the bogus check, add range checks to vga_mem_{readb,writeb}
		20	instead.
		21
		22	Fixes: CVE-2016-3710
		23	Reported-by: Qinghao Tang <luodalongde@gmail.com>
		24	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		25	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
		26
		27	Upstream-Status: Backport
		28	CVE: CVE-2016-3710
		29	Signed-off-by: Armin Kuster <akuster@mvista.com>
		30	---
		31	hw/display/vga.c \| 24 ++++++++++++++++++------
		32	1 file changed, 18 insertions(+), 6 deletions(-)
		33
		34	diff --git a/hw/display/vga.c b/hw/display/vga.c
		35	index 9f68394..442fee9 100644
		36	--- a/hw/display/vga.c
		37	+++ b/hw/display/vga.c
		38	@@ -177,6 +177,7 @@ static void vga_update_memory_access(VGACommonState *s)
		39	size = 0x8000;
		40	break;
		41	}
		42	+ assert(offset + size <= s->vram_size);
		43	memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram),
		44	"vga.chain4", &s->vram, offset, size);
		45	memory_region_add_subregion_overlap(s->legacy_address_space, base,
		46	@@ -714,11 +715,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
		47	vbe_fixup_regs(s);
		48	break;
		49	case VBE_DISPI_INDEX_BANK:
		50	- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
		51	- val &= (s->vbe_bank_mask >> 2);
		52	- } else {
		53	- val &= s->vbe_bank_mask;
		54	- }
		55	+ val &= s->vbe_bank_mask;
		56	s->vbe_regs[s->vbe_index] = val;
		57	s->bank_offset = (val << 16);
		58	vga_update_memory_access(s);
		59	@@ -817,13 +814,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
		60
		61	if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
		62	/* chain 4 mode : simplest access */
		63	+ assert(addr < s->vram_size);
		64	ret = s->vram_ptr[addr];
		65	} else if (s->gr[VGA_GFX_MODE] & 0x10) {
		66	/* odd/even mode (aka text mode mapping) */
		67	plane = (s->gr[VGA_GFX_PLANE_READ] & 2) \| (addr & 1);
		68	- ret = s->vram_ptr[((addr & ~1) << 1) \| plane];
		69	+ addr = ((addr & ~1) << 1) \| plane;
		70	+ if (addr >= s->vram_size) {
		71	+ return 0xff;
		72	+ }
		73	+ ret = s->vram_ptr[addr];
		74	} else {
		75	/* standard VGA latched access */
		76	+ if (addr * sizeof(uint32_t) >= s->vram_size) {
		77	+ return 0xff;
		78	+ }
		79	s->latch = ((uint32_t *)s->vram_ptr)[addr];
		80
		81	if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
		82	@@ -880,6 +885,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
		83	plane = addr & 3;
		84	mask = (1 << plane);
		85	if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
		86	+ assert(addr < s->vram_size);
		87	s->vram_ptr[addr] = val;
		88	#ifdef DEBUG_VGA_MEM
		89	printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
		90	@@ -893,6 +899,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
		91	mask = (1 << plane);
		92	if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
		93	addr = ((addr & ~1) << 1) \| plane;
		94	+ if (addr >= s->vram_size) {
		95	+ return;
		96	+ }
		97	s->vram_ptr[addr] = val;
		98	#ifdef DEBUG_VGA_MEM
		99	printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
		100	@@ -966,6 +975,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
		101	mask = s->sr[VGA_SEQ_PLANE_WRITE];
		102	s->plane_updated \|= mask; /* only used to detect font change */
		103	write_mask = mask16[mask];
		104	+ if (addr * sizeof(uint32_t) >= s->vram_size) {
		105	+ return;
		106	+ }
		107	((uint32_t *)s->vram_ptr)[addr] =
		108	(((uint32_t *)s->vram_ptr)[addr] & ~write_mask) \|
		109	(val & write_mask);
		110	--
		111	2.7.4
		112


diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb index 03a6cbe331..7651e9a5ae 100644 --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -16,6 +16,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
16	file://rng_remove_the_unused_request_cancellation_code.patch \	16	file://rng_remove_the_unused_request_cancellation_code.patch \
17	file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \	17	file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \
18	file://CVE-2016-2858.patch \	18	file://CVE-2016-2858.patch \
		19	file://CVE-2016-3710.patch \
19	"	20	"
20	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	21	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
21	SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"	22	SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"