diff options
Diffstat (limited to 'meta/recipes-devtools/qemu')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch | 504 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch | 53 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch | 87 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch | 70 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/glibc-2.25.patch | 14 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.10.1.bb (renamed from meta/recipes-devtools/qemu/qemu_2.10.0.bb) | 8 |
6 files changed, 2 insertions, 734 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch deleted file mode 100644 index ce0b1ee3ed..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch +++ /dev/null | |||
| @@ -1,504 +0,0 @@ | |||
| 1 | From 3d90c6254863693a6b13d918d2b8682e08bbc681 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
| 3 | Date: Mon, 28 Aug 2017 14:29:06 +0200 | ||
| 4 | Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions | ||
| 5 | |||
| 6 | Instead pass around the address (aka offset into vga memory). | ||
| 7 | Add vga_read_* helper functions which apply vbe_size_mask to | ||
| 8 | the address, to make sure the address stays within the valid | ||
| 9 | range, similar to the cirrus blitter fixes (commits ffaf857778 | ||
| 10 | and 026aeffcb4). | ||
| 11 | |||
| 12 | Impact: DoS for privileged guest users. qemu crashes with | ||
| 13 | a segfault, when hitting the guard page after vga memory | ||
| 14 | allocation, while reading vga memory for display updates. | ||
| 15 | |||
| 16 | Fixes: CVE-2017-13672 | ||
| 17 | Cc: P J P <ppandit@redhat.com> | ||
| 18 | Reported-by: David Buchanan <d@vidbuchanan.co.uk> | ||
| 19 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 20 | Message-id: 20170828122906.18993-1-kraxel@redhat.com | ||
| 21 | |||
| 22 | Upstream-Status: Backport | ||
| 23 | [https://git.qemu.org/?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681] | ||
| 24 | |||
| 25 | CVE: CVE-2017-13672 | ||
| 26 | |||
| 27 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
| 28 | --- | ||
| 29 | hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++--------------------- | ||
| 30 | hw/display/vga.c | 5 +- | ||
| 31 | hw/display/vga_int.h | 1 + | ||
| 32 | 3 files changed, 114 insertions(+), 94 deletions(-) | ||
| 33 | |||
| 34 | diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h | ||
| 35 | index 94f6de2..5a752b3 100644 | ||
| 36 | --- a/hw/display/vga-helpers.h | ||
| 37 | +++ b/hw/display/vga-helpers.h | ||
| 38 | @@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize, | ||
| 39 | } while (--h); | ||
| 40 | } | ||
| 41 | |||
| 42 | +static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr) | ||
| 43 | +{ | ||
| 44 | + return vga->vram_ptr[addr & vga->vbe_size_mask]; | ||
| 45 | +} | ||
| 46 | + | ||
| 47 | +static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr) | ||
| 48 | +{ | ||
| 49 | + uint32_t offset = addr & vga->vbe_size_mask & ~1; | ||
| 50 | + uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); | ||
| 51 | + return lduw_le_p(ptr); | ||
| 52 | +} | ||
| 53 | + | ||
| 54 | +static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr) | ||
| 55 | +{ | ||
| 56 | + uint32_t offset = addr & vga->vbe_size_mask & ~1; | ||
| 57 | + uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); | ||
| 58 | + return lduw_be_p(ptr); | ||
| 59 | +} | ||
| 60 | + | ||
| 61 | +static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr) | ||
| 62 | +{ | ||
| 63 | + uint32_t offset = addr & vga->vbe_size_mask & ~3; | ||
| 64 | + uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset); | ||
| 65 | + return ldl_le_p(ptr); | ||
| 66 | +} | ||
| 67 | + | ||
| 68 | /* | ||
| 69 | * 4 color mode | ||
| 70 | */ | ||
| 71 | -static void vga_draw_line2(VGACommonState *s1, uint8_t *d, | ||
| 72 | - const uint8_t *s, int width) | ||
| 73 | +static void vga_draw_line2(VGACommonState *vga, uint8_t *d, | ||
| 74 | + uint32_t addr, int width) | ||
| 75 | { | ||
| 76 | uint32_t plane_mask, *palette, data, v; | ||
| 77 | int x; | ||
| 78 | |||
| 79 | - palette = s1->last_palette; | ||
| 80 | - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; | ||
| 81 | + palette = vga->last_palette; | ||
| 82 | + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; | ||
| 83 | width >>= 3; | ||
| 84 | for(x = 0; x < width; x++) { | ||
| 85 | - data = ((uint32_t *)s)[0]; | ||
| 86 | + data = vga_read_dword_le(vga, addr); | ||
| 87 | data &= plane_mask; | ||
| 88 | v = expand2[GET_PLANE(data, 0)]; | ||
| 89 | v |= expand2[GET_PLANE(data, 2)] << 2; | ||
| 90 | @@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d, | ||
| 91 | ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf]; | ||
| 92 | ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf]; | ||
| 93 | d += 32; | ||
| 94 | - s += 4; | ||
| 95 | + addr += 4; | ||
| 96 | } | ||
| 97 | } | ||
| 98 | |||
| 99 | @@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d, | ||
| 100 | /* | ||
| 101 | * 4 color mode, dup2 horizontal | ||
| 102 | */ | ||
| 103 | -static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d, | ||
| 104 | - const uint8_t *s, int width) | ||
| 105 | +static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d, | ||
| 106 | + uint32_t addr, int width) | ||
| 107 | { | ||
| 108 | uint32_t plane_mask, *palette, data, v; | ||
| 109 | int x; | ||
| 110 | |||
| 111 | - palette = s1->last_palette; | ||
| 112 | - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; | ||
| 113 | + palette = vga->last_palette; | ||
| 114 | + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; | ||
| 115 | width >>= 3; | ||
| 116 | for(x = 0; x < width; x++) { | ||
| 117 | - data = ((uint32_t *)s)[0]; | ||
| 118 | + data = vga_read_dword_le(vga, addr); | ||
| 119 | data &= plane_mask; | ||
| 120 | v = expand2[GET_PLANE(data, 0)]; | ||
| 121 | v |= expand2[GET_PLANE(data, 2)] << 2; | ||
| 122 | @@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d, | ||
| 123 | PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); | ||
| 124 | PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); | ||
| 125 | d += 64; | ||
| 126 | - s += 4; | ||
| 127 | + addr += 4; | ||
| 128 | } | ||
| 129 | } | ||
| 130 | |||
| 131 | /* | ||
| 132 | * 16 color mode | ||
| 133 | */ | ||
| 134 | -static void vga_draw_line4(VGACommonState *s1, uint8_t *d, | ||
| 135 | - const uint8_t *s, int width) | ||
| 136 | +static void vga_draw_line4(VGACommonState *vga, uint8_t *d, | ||
| 137 | + uint32_t addr, int width) | ||
| 138 | { | ||
| 139 | uint32_t plane_mask, data, v, *palette; | ||
| 140 | int x; | ||
| 141 | |||
| 142 | - palette = s1->last_palette; | ||
| 143 | - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; | ||
| 144 | + palette = vga->last_palette; | ||
| 145 | + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; | ||
| 146 | width >>= 3; | ||
| 147 | for(x = 0; x < width; x++) { | ||
| 148 | - data = ((uint32_t *)s)[0]; | ||
| 149 | + data = vga_read_dword_le(vga, addr); | ||
| 150 | data &= plane_mask; | ||
| 151 | v = expand4[GET_PLANE(data, 0)]; | ||
| 152 | v |= expand4[GET_PLANE(data, 1)] << 1; | ||
| 153 | @@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_t *d, | ||
| 154 | ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf]; | ||
| 155 | ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf]; | ||
| 156 | d += 32; | ||
| 157 | - s += 4; | ||
| 158 | + addr += 4; | ||
| 159 | } | ||
| 160 | } | ||
| 161 | |||
| 162 | /* | ||
| 163 | * 16 color mode, dup2 horizontal | ||
| 164 | */ | ||
| 165 | -static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, | ||
| 166 | - const uint8_t *s, int width) | ||
| 167 | +static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d, | ||
| 168 | + uint32_t addr, int width) | ||
| 169 | { | ||
| 170 | uint32_t plane_mask, data, v, *palette; | ||
| 171 | int x; | ||
| 172 | |||
| 173 | - palette = s1->last_palette; | ||
| 174 | - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; | ||
| 175 | + palette = vga->last_palette; | ||
| 176 | + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; | ||
| 177 | width >>= 3; | ||
| 178 | for(x = 0; x < width; x++) { | ||
| 179 | - data = ((uint32_t *)s)[0]; | ||
| 180 | + data = vga_read_dword_le(vga, addr); | ||
| 181 | data &= plane_mask; | ||
| 182 | v = expand4[GET_PLANE(data, 0)]; | ||
| 183 | v |= expand4[GET_PLANE(data, 1)] << 1; | ||
| 184 | @@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, | ||
| 185 | PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); | ||
| 186 | PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); | ||
| 187 | d += 64; | ||
| 188 | - s += 4; | ||
| 189 | + addr += 4; | ||
| 190 | } | ||
| 191 | } | ||
| 192 | |||
| 193 | @@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, | ||
| 194 | * | ||
| 195 | * XXX: add plane_mask support (never used in standard VGA modes) | ||
| 196 | */ | ||
| 197 | -static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d, | ||
| 198 | - const uint8_t *s, int width) | ||
| 199 | +static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d, | ||
| 200 | + uint32_t addr, int width) | ||
| 201 | { | ||
| 202 | uint32_t *palette; | ||
| 203 | int x; | ||
| 204 | |||
| 205 | - palette = s1->last_palette; | ||
| 206 | + palette = vga->last_palette; | ||
| 207 | width >>= 3; | ||
| 208 | for(x = 0; x < width; x++) { | ||
| 209 | - PUT_PIXEL2(d, 0, palette[s[0]]); | ||
| 210 | - PUT_PIXEL2(d, 1, palette[s[1]]); | ||
| 211 | - PUT_PIXEL2(d, 2, palette[s[2]]); | ||
| 212 | - PUT_PIXEL2(d, 3, palette[s[3]]); | ||
| 213 | + PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]); | ||
| 214 | + PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]); | ||
| 215 | + PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]); | ||
| 216 | + PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]); | ||
| 217 | d += 32; | ||
| 218 | - s += 4; | ||
| 219 | + addr += 4; | ||
| 220 | } | ||
| 221 | } | ||
| 222 | |||
| 223 | @@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d, | ||
| 224 | * | ||
| 225 | * XXX: add plane_mask support (never used in standard VGA modes) | ||
| 226 | */ | ||
| 227 | -static void vga_draw_line8(VGACommonState *s1, uint8_t *d, | ||
| 228 | - const uint8_t *s, int width) | ||
| 229 | +static void vga_draw_line8(VGACommonState *vga, uint8_t *d, | ||
| 230 | + uint32_t addr, int width) | ||
| 231 | { | ||
| 232 | uint32_t *palette; | ||
| 233 | int x; | ||
| 234 | |||
| 235 | - palette = s1->last_palette; | ||
| 236 | + palette = vga->last_palette; | ||
| 237 | width >>= 3; | ||
| 238 | for(x = 0; x < width; x++) { | ||
| 239 | - ((uint32_t *)d)[0] = palette[s[0]]; | ||
| 240 | - ((uint32_t *)d)[1] = palette[s[1]]; | ||
| 241 | - ((uint32_t *)d)[2] = palette[s[2]]; | ||
| 242 | - ((uint32_t *)d)[3] = palette[s[3]]; | ||
| 243 | - ((uint32_t *)d)[4] = palette[s[4]]; | ||
| 244 | - ((uint32_t *)d)[5] = palette[s[5]]; | ||
| 245 | - ((uint32_t *)d)[6] = palette[s[6]]; | ||
| 246 | - ((uint32_t *)d)[7] = palette[s[7]]; | ||
| 247 | + ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)]; | ||
| 248 | + ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)]; | ||
| 249 | + ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)]; | ||
| 250 | + ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)]; | ||
| 251 | + ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)]; | ||
| 252 | + ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)]; | ||
| 253 | + ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)]; | ||
| 254 | + ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)]; | ||
| 255 | d += 32; | ||
| 256 | - s += 8; | ||
| 257 | + addr += 8; | ||
| 258 | } | ||
| 259 | } | ||
| 260 | |||
| 261 | /* | ||
| 262 | * 15 bit color | ||
| 263 | */ | ||
| 264 | -static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d, | ||
| 265 | - const uint8_t *s, int width) | ||
| 266 | +static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d, | ||
| 267 | + uint32_t addr, int width) | ||
| 268 | { | ||
| 269 | int w; | ||
| 270 | uint32_t v, r, g, b; | ||
| 271 | |||
| 272 | w = width; | ||
| 273 | do { | ||
| 274 | - v = lduw_le_p((void *)s); | ||
| 275 | + v = vga_read_word_le(vga, addr); | ||
| 276 | r = (v >> 7) & 0xf8; | ||
| 277 | g = (v >> 2) & 0xf8; | ||
| 278 | b = (v << 3) & 0xf8; | ||
| 279 | ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); | ||
| 280 | - s += 2; | ||
| 281 | + addr += 2; | ||
| 282 | d += 4; | ||
| 283 | } while (--w != 0); | ||
| 284 | } | ||
| 285 | |||
| 286 | -static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d, | ||
| 287 | - const uint8_t *s, int width) | ||
| 288 | +static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d, | ||
| 289 | + uint32_t addr, int width) | ||
| 290 | { | ||
| 291 | int w; | ||
| 292 | uint32_t v, r, g, b; | ||
| 293 | |||
| 294 | w = width; | ||
| 295 | do { | ||
| 296 | - v = lduw_be_p((void *)s); | ||
| 297 | + v = vga_read_word_be(vga, addr); | ||
| 298 | r = (v >> 7) & 0xf8; | ||
| 299 | g = (v >> 2) & 0xf8; | ||
| 300 | b = (v << 3) & 0xf8; | ||
| 301 | ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); | ||
| 302 | - s += 2; | ||
| 303 | + addr += 2; | ||
| 304 | d += 4; | ||
| 305 | } while (--w != 0); | ||
| 306 | } | ||
| 307 | @@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d, | ||
| 308 | /* | ||
| 309 | * 16 bit color | ||
| 310 | */ | ||
| 311 | -static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d, | ||
| 312 | - const uint8_t *s, int width) | ||
| 313 | +static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d, | ||
| 314 | + uint32_t addr, int width) | ||
| 315 | { | ||
| 316 | int w; | ||
| 317 | uint32_t v, r, g, b; | ||
| 318 | |||
| 319 | w = width; | ||
| 320 | do { | ||
| 321 | - v = lduw_le_p((void *)s); | ||
| 322 | + v = vga_read_word_le(vga, addr); | ||
| 323 | r = (v >> 8) & 0xf8; | ||
| 324 | g = (v >> 3) & 0xfc; | ||
| 325 | b = (v << 3) & 0xf8; | ||
| 326 | ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); | ||
| 327 | - s += 2; | ||
| 328 | + addr += 2; | ||
| 329 | d += 4; | ||
| 330 | } while (--w != 0); | ||
| 331 | } | ||
| 332 | |||
| 333 | -static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d, | ||
| 334 | - const uint8_t *s, int width) | ||
| 335 | +static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d, | ||
| 336 | + uint32_t addr, int width) | ||
| 337 | { | ||
| 338 | int w; | ||
| 339 | uint32_t v, r, g, b; | ||
| 340 | |||
| 341 | w = width; | ||
| 342 | do { | ||
| 343 | - v = lduw_be_p((void *)s); | ||
| 344 | + v = vga_read_word_be(vga, addr); | ||
| 345 | r = (v >> 8) & 0xf8; | ||
| 346 | g = (v >> 3) & 0xfc; | ||
| 347 | b = (v << 3) & 0xf8; | ||
| 348 | ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); | ||
| 349 | - s += 2; | ||
| 350 | + addr += 2; | ||
| 351 | d += 4; | ||
| 352 | } while (--w != 0); | ||
| 353 | } | ||
| 354 | @@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d, | ||
| 355 | /* | ||
| 356 | * 24 bit color | ||
| 357 | */ | ||
| 358 | -static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d, | ||
| 359 | - const uint8_t *s, int width) | ||
| 360 | +static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d, | ||
| 361 | + uint32_t addr, int width) | ||
| 362 | { | ||
| 363 | int w; | ||
| 364 | uint32_t r, g, b; | ||
| 365 | |||
| 366 | w = width; | ||
| 367 | do { | ||
| 368 | - b = s[0]; | ||
| 369 | - g = s[1]; | ||
| 370 | - r = s[2]; | ||
| 371 | + b = vga_read_byte(vga, addr + 0); | ||
| 372 | + g = vga_read_byte(vga, addr + 1); | ||
| 373 | + r = vga_read_byte(vga, addr + 2); | ||
| 374 | ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); | ||
| 375 | - s += 3; | ||
| 376 | + addr += 3; | ||
| 377 | d += 4; | ||
| 378 | } while (--w != 0); | ||
| 379 | } | ||
| 380 | |||
| 381 | -static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d, | ||
| 382 | - const uint8_t *s, int width) | ||
| 383 | +static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d, | ||
| 384 | + uint32_t addr, int width) | ||
| 385 | { | ||
| 386 | int w; | ||
| 387 | uint32_t r, g, b; | ||
| 388 | |||
| 389 | w = width; | ||
| 390 | do { | ||
| 391 | - r = s[0]; | ||
| 392 | - g = s[1]; | ||
| 393 | - b = s[2]; | ||
| 394 | + r = vga_read_byte(vga, addr + 0); | ||
| 395 | + g = vga_read_byte(vga, addr + 1); | ||
| 396 | + b = vga_read_byte(vga, addr + 2); | ||
| 397 | ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); | ||
| 398 | - s += 3; | ||
| 399 | + addr += 3; | ||
| 400 | d += 4; | ||
| 401 | } while (--w != 0); | ||
| 402 | } | ||
| 403 | @@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d, | ||
| 404 | /* | ||
| 405 | * 32 bit color | ||
| 406 | */ | ||
| 407 | -static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d, | ||
| 408 | - const uint8_t *s, int width) | ||
| 409 | +static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d, | ||
| 410 | + uint32_t addr, int width) | ||
| 411 | { | ||
| 412 | -#ifndef HOST_WORDS_BIGENDIAN | ||
| 413 | - memcpy(d, s, width * 4); | ||
| 414 | -#else | ||
| 415 | int w; | ||
| 416 | uint32_t r, g, b; | ||
| 417 | |||
| 418 | w = width; | ||
| 419 | do { | ||
| 420 | - b = s[0]; | ||
| 421 | - g = s[1]; | ||
| 422 | - r = s[2]; | ||
| 423 | + b = vga_read_byte(vga, addr + 0); | ||
| 424 | + g = vga_read_byte(vga, addr + 1); | ||
| 425 | + r = vga_read_byte(vga, addr + 2); | ||
| 426 | ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); | ||
| 427 | - s += 4; | ||
| 428 | + addr += 4; | ||
| 429 | d += 4; | ||
| 430 | } while (--w != 0); | ||
| 431 | -#endif | ||
| 432 | } | ||
| 433 | |||
| 434 | -static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d, | ||
| 435 | - const uint8_t *s, int width) | ||
| 436 | +static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d, | ||
| 437 | + uint32_t addr, int width) | ||
| 438 | { | ||
| 439 | -#ifdef HOST_WORDS_BIGENDIAN | ||
| 440 | - memcpy(d, s, width * 4); | ||
| 441 | -#else | ||
| 442 | int w; | ||
| 443 | uint32_t r, g, b; | ||
| 444 | |||
| 445 | w = width; | ||
| 446 | do { | ||
| 447 | - r = s[1]; | ||
| 448 | - g = s[2]; | ||
| 449 | - b = s[3]; | ||
| 450 | + r = vga_read_byte(vga, addr + 1); | ||
| 451 | + g = vga_read_byte(vga, addr + 2); | ||
| 452 | + b = vga_read_byte(vga, addr + 3); | ||
| 453 | ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); | ||
| 454 | - s += 4; | ||
| 455 | + addr += 4; | ||
| 456 | d += 4; | ||
| 457 | } while (--w != 0); | ||
| 458 | -#endif | ||
| 459 | } | ||
| 460 | diff --git a/hw/display/vga.c b/hw/display/vga.c | ||
| 461 | index ad7a465..6fc8c87 100644 | ||
| 462 | --- a/hw/display/vga.c | ||
| 463 | +++ b/hw/display/vga.c | ||
| 464 | @@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) | ||
| 465 | } | ||
| 466 | |||
| 467 | typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d, | ||
| 468 | - const uint8_t *s, int width); | ||
| 469 | + uint32_t srcaddr, int width); | ||
| 470 | |||
| 471 | #include "vga-helpers.h" | ||
| 472 | |||
| 473 | @@ -1666,7 +1666,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) | ||
| 474 | if (y_start < 0) | ||
| 475 | y_start = y; | ||
| 476 | if (!(is_buffer_shared(surface))) { | ||
| 477 | - vga_draw_line(s, d, s->vram_ptr + addr, width); | ||
| 478 | + vga_draw_line(s, d, addr, width); | ||
| 479 | if (s->cursor_draw_line) | ||
| 480 | s->cursor_draw_line(s, d, y); | ||
| 481 | } | ||
| 482 | @@ -2170,6 +2170,7 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate) | ||
| 483 | if (!s->vbe_size) { | ||
| 484 | s->vbe_size = s->vram_size; | ||
| 485 | } | ||
| 486 | + s->vbe_size_mask = s->vbe_size - 1; | ||
| 487 | |||
| 488 | s->is_vbe_vmstate = 1; | ||
| 489 | memory_region_init_ram_nomigrate(&s->vram, obj, "vga.vram", s->vram_size, | ||
| 490 | diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h | ||
| 491 | index dd6c958..ad34a1f 100644 | ||
| 492 | --- a/hw/display/vga_int.h | ||
| 493 | +++ b/hw/display/vga_int.h | ||
| 494 | @@ -94,6 +94,7 @@ typedef struct VGACommonState { | ||
| 495 | uint32_t vram_size; | ||
| 496 | uint32_t vram_size_mb; /* property */ | ||
| 497 | uint32_t vbe_size; | ||
| 498 | + uint32_t vbe_size_mask; | ||
| 499 | uint32_t latch; | ||
| 500 | bool has_chain4_alias; | ||
| 501 | MemoryRegion chain4_alias; | ||
| 502 | -- | ||
| 503 | 2.7.4 | ||
| 504 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch deleted file mode 100644 index 3d0695fd66..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch +++ /dev/null | |||
| @@ -1,53 +0,0 @@ | |||
| 1 | From e65294157d4b69393b3f819c99f4f647452b48e3 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
| 3 | Date: Mon, 28 Aug 2017 14:33:07 +0200 | ||
| 4 | Subject: [PATCH] vga: fix display update region calculation (split screen) | ||
| 5 | |||
| 6 | vga display update mis-calculated the region for the dirty bitmap | ||
| 7 | snapshot in case split screen mode is used. This can trigger an | ||
| 8 | assert in cpu_physical_memory_snapshot_get_dirty(). | ||
| 9 | |||
| 10 | Impact: DoS for privileged guest users. | ||
| 11 | |||
| 12 | Fixes: CVE-2017-13673 | ||
| 13 | Fixes: fec5e8c92becad223df9d972770522f64aafdb72 | ||
| 14 | Cc: P J P <ppandit@redhat.com> | ||
| 15 | Reported-by: David Buchanan <d@vidbuchanan.co.uk> | ||
| 16 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 17 | Message-id: 20170828123307.15392-1-kraxel@redhat.com | ||
| 18 | |||
| 19 | Upstream-Status: Backport | ||
| 20 | [https://git.qemu.org/?p=qemu.git;a=commit;h=e65294157d4b69393b3f819c99f4f647452b48e3] | ||
| 21 | |||
| 22 | CVE: CVE-2017-13673 | ||
| 23 | |||
| 24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
| 25 | --- | ||
| 26 | hw/display/vga.c | 10 ++++++++-- | ||
| 27 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
| 28 | |||
| 29 | diff --git a/hw/display/vga.c b/hw/display/vga.c | ||
| 30 | index 3433102..ad7a465 100644 | ||
| 31 | --- a/hw/display/vga.c | ||
| 32 | +++ b/hw/display/vga.c | ||
| 33 | @@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) | ||
| 34 | y1 = 0; | ||
| 35 | |||
| 36 | if (!full_update) { | ||
| 37 | + ram_addr_t region_start = addr1; | ||
| 38 | + ram_addr_t region_end = addr1 + line_offset * height; | ||
| 39 | vga_sync_dirty_bitmap(s); | ||
| 40 | - snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1, | ||
| 41 | - line_offset * height, | ||
| 42 | + if (s->line_compare < height) { | ||
| 43 | + /* split screen mode */ | ||
| 44 | + region_start = 0; | ||
| 45 | + } | ||
| 46 | + snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start, | ||
| 47 | + region_end - region_start, | ||
| 48 | DIRTY_MEMORY_VGA); | ||
| 49 | } | ||
| 50 | |||
| 51 | -- | ||
| 52 | 2.7.4 | ||
| 53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch deleted file mode 100644 index 352f73f624..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch +++ /dev/null | |||
| @@ -1,87 +0,0 @@ | |||
| 1 | From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Samuel Thibault <samuel.thibault@ens-lyon.org> | ||
| 3 | Date: Fri, 25 Aug 2017 01:35:53 +0200 | ||
| 4 | Subject: [PATCH] slirp: fix clearing ifq_so from pending packets | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | The if_fastq and if_batchq contain not only packets, but queues of packets | ||
| 10 | for the same socket. When sofree frees a socket, it thus has to clear ifq_so | ||
| 11 | from all the packets from the queues, not only the first. | ||
| 12 | |||
| 13 | Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> | ||
| 14 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
| 15 | Cc: qemu-stable@nongnu.org | ||
| 16 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 17 | |||
| 18 | Upstream-Status: Backport | ||
| 19 | [https://git.qemu.org/?p=qemu.git;a=commit;h=1201d308519f1e915866d7583d5136d03cc1d384] | ||
| 20 | |||
| 21 | CVE: CVE-2017-13711 | ||
| 22 | |||
| 23 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
| 24 | --- | ||
| 25 | slirp/socket.c | 39 +++++++++++++++++++++++---------------- | ||
| 26 | 1 file changed, 23 insertions(+), 16 deletions(-) | ||
| 27 | |||
| 28 | diff --git a/slirp/socket.c b/slirp/socket.c | ||
| 29 | index ecec029..cb7b5b6 100644 | ||
| 30 | --- a/slirp/socket.c | ||
| 31 | +++ b/slirp/socket.c | ||
| 32 | @@ -60,29 +60,36 @@ socreate(Slirp *slirp) | ||
| 33 | } | ||
| 34 | |||
| 35 | /* | ||
| 36 | + * Remove references to so from the given message queue. | ||
| 37 | + */ | ||
| 38 | +static void | ||
| 39 | +soqfree(struct socket *so, struct quehead *qh) | ||
| 40 | +{ | ||
| 41 | + struct mbuf *ifq; | ||
| 42 | + | ||
| 43 | + for (ifq = (struct mbuf *) qh->qh_link; | ||
| 44 | + (struct quehead *) ifq != qh; | ||
| 45 | + ifq = ifq->ifq_next) { | ||
| 46 | + if (ifq->ifq_so == so) { | ||
| 47 | + struct mbuf *ifm; | ||
| 48 | + ifq->ifq_so = NULL; | ||
| 49 | + for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) { | ||
| 50 | + ifm->ifq_so = NULL; | ||
| 51 | + } | ||
| 52 | + } | ||
| 53 | + } | ||
| 54 | +} | ||
| 55 | + | ||
| 56 | +/* | ||
| 57 | * remque and free a socket, clobber cache | ||
| 58 | */ | ||
| 59 | void | ||
| 60 | sofree(struct socket *so) | ||
| 61 | { | ||
| 62 | Slirp *slirp = so->slirp; | ||
| 63 | - struct mbuf *ifm; | ||
| 64 | |||
| 65 | - for (ifm = (struct mbuf *) slirp->if_fastq.qh_link; | ||
| 66 | - (struct quehead *) ifm != &slirp->if_fastq; | ||
| 67 | - ifm = ifm->ifq_next) { | ||
| 68 | - if (ifm->ifq_so == so) { | ||
| 69 | - ifm->ifq_so = NULL; | ||
| 70 | - } | ||
| 71 | - } | ||
| 72 | - | ||
| 73 | - for (ifm = (struct mbuf *) slirp->if_batchq.qh_link; | ||
| 74 | - (struct quehead *) ifm != &slirp->if_batchq; | ||
| 75 | - ifm = ifm->ifq_next) { | ||
| 76 | - if (ifm->ifq_so == so) { | ||
| 77 | - ifm->ifq_so = NULL; | ||
| 78 | - } | ||
| 79 | - } | ||
| 80 | + soqfree(so, &slirp->if_fastq); | ||
| 81 | + soqfree(so, &slirp->if_batchq); | ||
| 82 | |||
| 83 | if (so->so_emu==EMU_RSH && so->extra) { | ||
| 84 | sofree(so->extra); | ||
| 85 | -- | ||
| 86 | 2.7.4 | ||
| 87 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch deleted file mode 100644 index 969ad877d6..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch +++ /dev/null | |||
| @@ -1,70 +0,0 @@ | |||
| 1 | From ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 3 | Date: Thu, 7 Sep 2017 12:02:56 +0530 | ||
| 4 | Subject: [PATCH] multiboot: validate multiboot header address values | ||
| 5 | |||
| 6 | While loading kernel via multiboot-v1 image, (flags & 0x00010000) | ||
| 7 | indicates that multiboot header contains valid addresses to load | ||
| 8 | the kernel image. These addresses are used to compute kernel | ||
| 9 | size and kernel text offset in the OS image. Validate these | ||
| 10 | address values to avoid an OOB access issue. | ||
| 11 | |||
| 12 | This is CVE-2017-14167. | ||
| 13 | |||
| 14 | Reported-by: Thomas Garnier <thgarnie@google.com> | ||
| 15 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 16 | Message-Id: <20170907063256.7418-1-ppandit@redhat.com> | ||
| 17 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
| 18 | |||
| 19 | Upstream-Status: Backport | ||
| 20 | [https://git.qemu.org/?p=qemu.git;a=commit;h=ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb] | ||
| 21 | |||
| 22 | CVE: CVE-2017-14167 | ||
| 23 | |||
| 24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
| 25 | --- | ||
| 26 | hw/i386/multiboot.c | 19 +++++++++++++++++++ | ||
| 27 | 1 file changed, 19 insertions(+) | ||
| 28 | |||
| 29 | diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c | ||
| 30 | index 6001f4c..c7b70c9 100644 | ||
| 31 | --- a/hw/i386/multiboot.c | ||
| 32 | +++ b/hw/i386/multiboot.c | ||
| 33 | @@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg, | ||
| 34 | uint32_t mh_header_addr = ldl_p(header+i+12); | ||
| 35 | uint32_t mh_load_end_addr = ldl_p(header+i+20); | ||
| 36 | uint32_t mh_bss_end_addr = ldl_p(header+i+24); | ||
| 37 | + | ||
| 38 | mh_load_addr = ldl_p(header+i+16); | ||
| 39 | + if (mh_header_addr < mh_load_addr) { | ||
| 40 | + fprintf(stderr, "invalid mh_load_addr address\n"); | ||
| 41 | + exit(1); | ||
| 42 | + } | ||
| 43 | + | ||
| 44 | uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr); | ||
| 45 | uint32_t mb_load_size = 0; | ||
| 46 | mh_entry_addr = ldl_p(header+i+28); | ||
| 47 | |||
| 48 | if (mh_load_end_addr) { | ||
| 49 | + if (mh_bss_end_addr < mh_load_addr) { | ||
| 50 | + fprintf(stderr, "invalid mh_bss_end_addr address\n"); | ||
| 51 | + exit(1); | ||
| 52 | + } | ||
| 53 | mb_kernel_size = mh_bss_end_addr - mh_load_addr; | ||
| 54 | + | ||
| 55 | + if (mh_load_end_addr < mh_load_addr) { | ||
| 56 | + fprintf(stderr, "invalid mh_load_end_addr address\n"); | ||
| 57 | + exit(1); | ||
| 58 | + } | ||
| 59 | mb_load_size = mh_load_end_addr - mh_load_addr; | ||
| 60 | } else { | ||
| 61 | + if (kernel_file_size < mb_kernel_text_offset) { | ||
| 62 | + fprintf(stderr, "invalid kernel_file_size\n"); | ||
| 63 | + exit(1); | ||
| 64 | + } | ||
| 65 | mb_kernel_size = kernel_file_size - mb_kernel_text_offset; | ||
| 66 | mb_load_size = mb_kernel_size; | ||
| 67 | } | ||
| 68 | -- | ||
| 69 | 2.7.4 | ||
| 70 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch b/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch index a6908bdbf9..25569449e4 100644 --- a/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch +++ b/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch | |||
| @@ -72,17 +72,3 @@ diff -uNr qemu-2.8.0.orig/configure qemu-2.8.0/configure | |||
| 72 | # Hold two types of flag: | 72 | # Hold two types of flag: |
| 73 | # CONFIG_THREAD_SETNAME_BYTHREAD - we've got a way of setting the name on | 73 | # CONFIG_THREAD_SETNAME_BYTHREAD - we've got a way of setting the name on |
| 74 | # a thread we have a handle to | 74 | # a thread we have a handle to |
| 75 | diff -uNr qemu-2.8.0.orig/include/sysemu/os-posix.h qemu-2.8.0/include/sysemu/os-posix.h | ||
| 76 | --- qemu-2.8.0.orig/include/sysemu/os-posix.h 2016-12-20 21:16:48.000000000 +0100 | ||
| 77 | +++ qemu-2.8.0/include/sysemu/os-posix.h 2017-02-21 19:07:18.009090381 +0100 | ||
| 78 | @@ -34,6 +34,10 @@ | ||
| 79 | #include <netdb.h> | ||
| 80 | #include <sys/un.h> | ||
| 81 | |||
| 82 | +#ifdef CONFIG_SYSMACROS | ||
| 83 | +#include <sys/sysmacros.h> | ||
| 84 | +#endif | ||
| 85 | + | ||
| 86 | void os_set_line_buffering(void); | ||
| 87 | void os_set_proc_name(const char *s); | ||
| 88 | void os_setup_signal_handling(void); | ||
diff --git a/meta/recipes-devtools/qemu/qemu_2.10.0.bb b/meta/recipes-devtools/qemu/qemu_2.10.1.bb index 75e2a259fa..6e9b68b0ff 100644 --- a/meta/recipes-devtools/qemu/qemu_2.10.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.10.1.bb | |||
| @@ -24,10 +24,6 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \ | |||
| 24 | file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \ | 24 | file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \ |
| 25 | file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS-v2.9.patch \ | 25 | file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS-v2.9.patch \ |
| 26 | file://apic-fixup-fallthrough-to-PIC.patch \ | 26 | file://apic-fixup-fallthrough-to-PIC.patch \ |
| 27 | file://CVE-2017-13711.patch \ | ||
| 28 | file://CVE-2017-13673.patch \ | ||
| 29 | file://CVE-2017-13672.patch \ | ||
| 30 | file://CVE-2017-14167.patch \ | ||
| 31 | " | 27 | " |
| 32 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar" | 28 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar" |
| 33 | 29 | ||
| @@ -37,8 +33,8 @@ SRC_URI_append_class-native = " \ | |||
| 37 | file://cpus.c-qemu_cpu_kick_thread_debugging.patch \ | 33 | file://cpus.c-qemu_cpu_kick_thread_debugging.patch \ |
| 38 | " | 34 | " |
| 39 | 35 | ||
| 40 | SRC_URI[md5sum] = "ca73441de73a9b52c6c49c97190d2185" | 36 | SRC_URI[md5sum] = "b375373f688bea0cd8865b966dad15e3" |
| 41 | SRC_URI[sha256sum] = "7e9f39e1306e6dcc595494e91c1464d4b03f55ddd2053183e0e1b69f7f776d48" | 37 | SRC_URI[sha256sum] = "8e040bc7556401ebb3a347a8f7878e9d4028cf71b2744b1a1699f4e741966ba8" |
| 42 | 38 | ||
| 43 | COMPATIBLE_HOST_mipsarchn32 = "null" | 39 | COMPATIBLE_HOST_mipsarchn32 = "null" |
| 44 | COMPATIBLE_HOST_mipsarchn64 = "null" | 40 | COMPATIBLE_HOST_mipsarchn64 = "null" |