summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch80
1 files changed, 0 insertions, 80 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
deleted file mode 100644
index 96e980a58d..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch
+++ /dev/null
@@ -1,80 +0,0 @@
1From 44b86aa32e4147c727fadd9a0f0bc503a5dedb72 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 26 Apr 2016 14:48:06 +0200
4Subject: [PATCH 4/4] vga: make sure vga register setup for vbe stays intact
5 (CVE-2016-3712).
6
7Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
8registers, to make sure the vga registers will always have the
9values needed by vbe mode. This makes sure the sanity checks
10applied by vbe_fixup_regs() are effective.
11
12Without this guests can muck with shift_control, can turn on planar
13vga modes or text mode emulation while VBE is active, making qemu
14take code paths meant for CGA compatibility, but with the very
15large display widths and heigts settable using VBE registers.
16
17Which is good for one or another buffer overflow. Not that
18critical as they typically read overflows happening somewhere
19in the display code. So guests can DoS by crashing qemu with a
20segfault, but it is probably not possible to break out of the VM.
21
22Fixes: CVE-2016-3712
23Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
24Reported-by: P J P <ppandit@redhat.com>
25Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
26Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
27
28Upstream-Status: Backport
29CVE: CVE-2016-3712 patch4 ( the fix)
30Signed-off-by: Armin Kuster <akuster@mvista.com>
31
32---
33 hw/display/vga.c | 6 ++++++
34 1 file changed, 6 insertions(+)
35
36diff --git a/hw/display/vga.c b/hw/display/vga.c
37index 10ac7df..679070e 100644
38--- a/hw/display/vga.c
39+++ b/hw/display/vga.c
40@@ -140,6 +140,8 @@ static uint32_t expand4[256];
41 static uint16_t expand2[256];
42 static uint8_t expand4to8[16];
43
44+static void vbe_update_vgaregs(VGACommonState *s);
45+
46 static inline bool vbe_enabled(VGACommonState *s)
47 {
48 return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
49@@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
50 printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
51 #endif
52 s->sr[s->sr_index] = val & sr_mask[s->sr_index];
53+ vbe_update_vgaregs(s);
54 if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
55 s->update_retrace_info(s);
56 }
57@@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
58 printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
59 #endif
60 s->gr[s->gr_index] = val & gr_mask[s->gr_index];
61+ vbe_update_vgaregs(s);
62 vga_update_memory_access(s);
63 break;
64 case VGA_CRT_IM:
65@@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
66 if (s->cr_index == VGA_CRTC_OVERFLOW) {
67 s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |
68 (val & 0x10);
69+ vbe_update_vgaregs(s);
70 }
71 return;
72 }
73 s->cr[s->cr_index] = val;
74+ vbe_update_vgaregs(s);
75
76 switch(s->cr_index) {
77 case VGA_CRTC_H_TOTAL:
78--
792.7.4
80