From 71d585a8deafbeea66a517313d9ae10862484d22 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 10 May 2017 14:17:32 +0200 Subject: qemu: Upgrade 2.5.1 -> 2.5.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a minor upgrade only comes with security fixes in qemu VGA and UART code to avoid corruptions (CVE-2016-3710 and CVE-2016-3712). For review details, http://git.qemu.org/?p=qemu.git;a=log;h=v2.5.1.1 (From OE-Core rev: da522c0c248c9a8b10a90de4cd6e7e05367e637d) This patch is backported from upstream morty branch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/patch/?id=b0207e742542cc44086d612df0a216cc45875538 Signed-off-by: Aníbal Limón Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../qemu/qemu/CVE-2016-3712_p2.patch | 132 --------------------- 1 file changed, 132 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch') diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch deleted file mode 100644 index 11330d766d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 2f2f74e87c15e830f5a4dda7a166effcab5047ec Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 26 Apr 2016 15:24:18 +0200 -Subject: [PATCH 2/4] vga: factor out vga register setup - -When enabling vbe mode qemu will setup a bunch of vga registers to make -sure the vga emulation operates in correct mode for a linear -framebuffer. Move that code to a separate function so we can call it -from other places too. - -Signed-off-by: Gerd Hoffmann -Signed-off-by: Michael Roth - -Upstream-Status: Backport -CVE: CVE-2016-3712 patch2 -Signed-off-by: Armin Kuster - ---- - hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------ - 1 file changed, 44 insertions(+), 34 deletions(-) - -diff --git a/hw/display/vga.c b/hw/display/vga.c -index cc1a682..f1987e3 100644 ---- a/hw/display/vga.c -+++ b/hw/display/vga.c -@@ -642,6 +642,49 @@ static void vbe_fixup_regs(VGACommonState *s) - s->vbe_start_addr = offset / 4; - } - -+/* we initialize the VGA graphic mode */ -+static void vbe_update_vgaregs(VGACommonState *s) -+{ -+ int h, shift_control; -+ -+ if (!vbe_enabled(s)) { -+ /* vbe is turned off -- nothing to do */ -+ return; -+ } -+ -+ /* graphic mode + memory map 1 */ -+ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | -+ VGA_GR06_GRAPHICS_MODE; -+ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ -+ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; -+ /* width */ -+ s->cr[VGA_CRTC_H_DISP] = -+ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; -+ /* height (only meaningful if < 1024) */ -+ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; -+ s->cr[VGA_CRTC_V_DISP_END] = h; -+ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | -+ ((h >> 7) & 0x02) | ((h >> 3) & 0x40); -+ /* line compare to 1023 */ -+ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; -+ s->cr[VGA_CRTC_OVERFLOW] |= 0x10; -+ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; -+ -+ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { -+ shift_control = 0; -+ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ -+ } else { -+ shift_control = 2; -+ /* set chain 4 mode */ -+ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; -+ /* activate all planes */ -+ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; -+ } -+ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | -+ (shift_control << 5); -+ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ -+} -+ - static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr) - { - VGACommonState *s = opaque; -@@ -728,52 +771,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) - case VBE_DISPI_INDEX_ENABLE: - if ((val & VBE_DISPI_ENABLED) && - !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { -- int h, shift_control; - - s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0; - s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0; - s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0; - s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED; - vbe_fixup_regs(s); -+ vbe_update_vgaregs(s); - - /* clear the screen */ - if (!(val & VBE_DISPI_NOCLEARMEM)) { - memset(s->vram_ptr, 0, - s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); - } -- -- /* we initialize the VGA graphic mode */ -- /* graphic mode + memory map 1 */ -- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | -- VGA_GR06_GRAPHICS_MODE; -- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ -- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; -- /* width */ -- s->cr[VGA_CRTC_H_DISP] = -- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; -- /* height (only meaningful if < 1024) */ -- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; -- s->cr[VGA_CRTC_V_DISP_END] = h; -- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | -- ((h >> 7) & 0x02) | ((h >> 3) & 0x40); -- /* line compare to 1023 */ -- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; -- s->cr[VGA_CRTC_OVERFLOW] |= 0x10; -- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; -- -- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { -- shift_control = 0; -- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ -- } else { -- shift_control = 2; -- /* set chain 4 mode */ -- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; -- /* activate all planes */ -- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; -- } -- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | -- (shift_control << 5); -- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ - } else { - s->bank_offset = 0; - } --- -2.7.4 - -- cgit v1.2.3-54-g00ecf