diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch | 80 |
1 files changed, 0 insertions, 80 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch deleted file mode 100644 index 96e980a58d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch +++ /dev/null | |||
@@ -1,80 +0,0 @@ | |||
1 | From 44b86aa32e4147c727fadd9a0f0bc503a5dedb72 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Tue, 26 Apr 2016 14:48:06 +0200 | ||
4 | Subject: [PATCH 4/4] vga: make sure vga register setup for vbe stays intact | ||
5 | (CVE-2016-3712). | ||
6 | |||
7 | Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT | ||
8 | registers, to make sure the vga registers will always have the | ||
9 | values needed by vbe mode. This makes sure the sanity checks | ||
10 | applied by vbe_fixup_regs() are effective. | ||
11 | |||
12 | Without this guests can muck with shift_control, can turn on planar | ||
13 | vga modes or text mode emulation while VBE is active, making qemu | ||
14 | take code paths meant for CGA compatibility, but with the very | ||
15 | large display widths and heigts settable using VBE registers. | ||
16 | |||
17 | Which is good for one or another buffer overflow. Not that | ||
18 | critical as they typically read overflows happening somewhere | ||
19 | in the display code. So guests can DoS by crashing qemu with a | ||
20 | segfault, but it is probably not possible to break out of the VM. | ||
21 | |||
22 | Fixes: CVE-2016-3712 | ||
23 | Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com> | ||
24 | Reported-by: P J P <ppandit@redhat.com> | ||
25 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
26 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
27 | |||
28 | Upstream-Status: Backport | ||
29 | CVE: CVE-2016-3712 patch4 ( the fix) | ||
30 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
31 | |||
32 | --- | ||
33 | hw/display/vga.c | 6 ++++++ | ||
34 | 1 file changed, 6 insertions(+) | ||
35 | |||
36 | diff --git a/hw/display/vga.c b/hw/display/vga.c | ||
37 | index 10ac7df..679070e 100644 | ||
38 | --- a/hw/display/vga.c | ||
39 | +++ b/hw/display/vga.c | ||
40 | @@ -140,6 +140,8 @@ static uint32_t expand4[256]; | ||
41 | static uint16_t expand2[256]; | ||
42 | static uint8_t expand4to8[16]; | ||
43 | |||
44 | +static void vbe_update_vgaregs(VGACommonState *s); | ||
45 | + | ||
46 | static inline bool vbe_enabled(VGACommonState *s) | ||
47 | { | ||
48 | return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; | ||
49 | @@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) | ||
50 | printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); | ||
51 | #endif | ||
52 | s->sr[s->sr_index] = val & sr_mask[s->sr_index]; | ||
53 | + vbe_update_vgaregs(s); | ||
54 | if (s->sr_index == VGA_SEQ_CLOCK_MODE) { | ||
55 | s->update_retrace_info(s); | ||
56 | } | ||
57 | @@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) | ||
58 | printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); | ||
59 | #endif | ||
60 | s->gr[s->gr_index] = val & gr_mask[s->gr_index]; | ||
61 | + vbe_update_vgaregs(s); | ||
62 | vga_update_memory_access(s); | ||
63 | break; | ||
64 | case VGA_CRT_IM: | ||
65 | @@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) | ||
66 | if (s->cr_index == VGA_CRTC_OVERFLOW) { | ||
67 | s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) | | ||
68 | (val & 0x10); | ||
69 | + vbe_update_vgaregs(s); | ||
70 | } | ||
71 | return; | ||
72 | } | ||
73 | s->cr[s->cr_index] = val; | ||
74 | + vbe_update_vgaregs(s); | ||
75 | |||
76 | switch(s->cr_index) { | ||
77 | case VGA_CRTC_H_TOTAL: | ||
78 | -- | ||
79 | 2.7.4 | ||
80 | |||