summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-09-19 18:02:55 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 15:27:06 +0100
commit990b8e7919adefb4331d41a5e0d328fd1f0cefbc (patch)
tree1d7f7d28c0732811c7c2a59f90f38f97cadfaaec /meta
parentdb8258864e25a24e846bf982123d25655d33d4b3 (diff)
downloadpoky-990b8e7919adefb4331d41a5e0d328fd1f0cefbc.tar.gz
qemu: Security Fix CVE-2016-3710
affects Qemu < 2.6.0 (From OE-Core rev: aa366a5cb5c4ed84537381d71dd5e66514c575be) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch112
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.5.0.bb1
2 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
new file mode 100644
index 0000000000..d3cd52bd5f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
@@ -0,0 +1,112 @@
1From 4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 26 Apr 2016 08:49:10 +0200
4Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710)
5
6vga allows banked access to video memory using the window at 0xa00000
7and it supports a different access modes with different address
8calculations.
9
10The VBE bochs extentions support banked access too, using the
11VBE_DISPI_INDEX_BANK register. The code tries to take the different
12address calculations into account and applies different limits to
13VBE_DISPI_INDEX_BANK depending on the current access mode.
14
15Which is probably effective in stopping misprogramming by accident.
16But from a security point of view completely useless as an attacker
17can easily change access modes after setting the bank register.
18
19Drop the bogus check, add range checks to vga_mem_{readb,writeb}
20instead.
21
22Fixes: CVE-2016-3710
23Reported-by: Qinghao Tang <luodalongde@gmail.com>
24Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
25Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
26
27Upstream-Status: Backport
28CVE: CVE-2016-3710
29Signed-off-by: Armin Kuster <akuster@mvista.com>
30---
31 hw/display/vga.c | 24 ++++++++++++++++++------
32 1 file changed, 18 insertions(+), 6 deletions(-)
33
34diff --git a/hw/display/vga.c b/hw/display/vga.c
35index 9f68394..442fee9 100644
36--- a/hw/display/vga.c
37+++ b/hw/display/vga.c
38@@ -177,6 +177,7 @@ static void vga_update_memory_access(VGACommonState *s)
39 size = 0x8000;
40 break;
41 }
42+ assert(offset + size <= s->vram_size);
43 memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram),
44 "vga.chain4", &s->vram, offset, size);
45 memory_region_add_subregion_overlap(s->legacy_address_space, base,
46@@ -714,11 +715,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
47 vbe_fixup_regs(s);
48 break;
49 case VBE_DISPI_INDEX_BANK:
50- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
51- val &= (s->vbe_bank_mask >> 2);
52- } else {
53- val &= s->vbe_bank_mask;
54- }
55+ val &= s->vbe_bank_mask;
56 s->vbe_regs[s->vbe_index] = val;
57 s->bank_offset = (val << 16);
58 vga_update_memory_access(s);
59@@ -817,13 +814,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
60
61 if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
62 /* chain 4 mode : simplest access */
63+ assert(addr < s->vram_size);
64 ret = s->vram_ptr[addr];
65 } else if (s->gr[VGA_GFX_MODE] & 0x10) {
66 /* odd/even mode (aka text mode mapping) */
67 plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
68- ret = s->vram_ptr[((addr & ~1) << 1) | plane];
69+ addr = ((addr & ~1) << 1) | plane;
70+ if (addr >= s->vram_size) {
71+ return 0xff;
72+ }
73+ ret = s->vram_ptr[addr];
74 } else {
75 /* standard VGA latched access */
76+ if (addr * sizeof(uint32_t) >= s->vram_size) {
77+ return 0xff;
78+ }
79 s->latch = ((uint32_t *)s->vram_ptr)[addr];
80
81 if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
82@@ -880,6 +885,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
83 plane = addr & 3;
84 mask = (1 << plane);
85 if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
86+ assert(addr < s->vram_size);
87 s->vram_ptr[addr] = val;
88 #ifdef DEBUG_VGA_MEM
89 printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
90@@ -893,6 +899,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
91 mask = (1 << plane);
92 if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
93 addr = ((addr & ~1) << 1) | plane;
94+ if (addr >= s->vram_size) {
95+ return;
96+ }
97 s->vram_ptr[addr] = val;
98 #ifdef DEBUG_VGA_MEM
99 printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
100@@ -966,6 +975,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
101 mask = s->sr[VGA_SEQ_PLANE_WRITE];
102 s->plane_updated |= mask; /* only used to detect font change */
103 write_mask = mask16[mask];
104+ if (addr * sizeof(uint32_t) >= s->vram_size) {
105+ return;
106+ }
107 ((uint32_t *)s->vram_ptr)[addr] =
108 (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) |
109 (val & write_mask);
110--
1112.7.4
112
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 03a6cbe331..7651e9a5ae 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -16,6 +16,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
16 file://rng_remove_the_unused_request_cancellation_code.patch \ 16 file://rng_remove_the_unused_request_cancellation_code.patch \
17 file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \ 17 file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \
18 file://CVE-2016-2858.patch \ 18 file://CVE-2016-2858.patch \
19 file://CVE-2016-3710.patch \
19 " 20 "
20SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 21SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
21SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" 22SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"