From 71d585a8deafbeea66a517313d9ae10862484d22 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 10 May 2017 14:17:32 +0200 Subject: qemu: Upgrade 2.5.1 -> 2.5.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a minor upgrade only comes with security fixes in qemu VGA and UART code to avoid corruptions (CVE-2016-3710 and CVE-2016-3712). For review details, http://git.qemu.org/?p=qemu.git;a=log;h=v2.5.1.1 (From OE-Core rev: da522c0c248c9a8b10a90de4cd6e7e05367e637d) This patch is backported from upstream morty branch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/patch/?id=b0207e742542cc44086d612df0a216cc45875538 Signed-off-by: Aníbal Limón Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../qemu/qemu/CVE-2016-3712_p4.patch | 80 ---------------------- 1 file changed, 80 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch') diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch deleted file mode 100644 index 96e980a58d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 44b86aa32e4147c727fadd9a0f0bc503a5dedb72 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 26 Apr 2016 14:48:06 +0200 -Subject: [PATCH 4/4] vga: make sure vga register setup for vbe stays intact - (CVE-2016-3712). - -Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT -registers, to make sure the vga registers will always have the -values needed by vbe mode. This makes sure the sanity checks -applied by vbe_fixup_regs() are effective. - -Without this guests can muck with shift_control, can turn on planar -vga modes or text mode emulation while VBE is active, making qemu -take code paths meant for CGA compatibility, but with the very -large display widths and heigts settable using VBE registers. - -Which is good for one or another buffer overflow. Not that -critical as they typically read overflows happening somewhere -in the display code. So guests can DoS by crashing qemu with a -segfault, but it is probably not possible to break out of the VM. - -Fixes: CVE-2016-3712 -Reported-by: Zuozhi Fzz -Reported-by: P J P -Signed-off-by: Gerd Hoffmann -Signed-off-by: Michael Roth - -Upstream-Status: Backport -CVE: CVE-2016-3712 patch4 ( the fix) -Signed-off-by: Armin Kuster - ---- - hw/display/vga.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/display/vga.c b/hw/display/vga.c -index 10ac7df..679070e 100644 ---- a/hw/display/vga.c -+++ b/hw/display/vga.c -@@ -140,6 +140,8 @@ static uint32_t expand4[256]; - static uint16_t expand2[256]; - static uint8_t expand4to8[16]; - -+static void vbe_update_vgaregs(VGACommonState *s); -+ - static inline bool vbe_enabled(VGACommonState *s) - { - return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; -@@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) - printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); - #endif - s->sr[s->sr_index] = val & sr_mask[s->sr_index]; -+ vbe_update_vgaregs(s); - if (s->sr_index == VGA_SEQ_CLOCK_MODE) { - s->update_retrace_info(s); - } -@@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) - printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); - #endif - s->gr[s->gr_index] = val & gr_mask[s->gr_index]; -+ vbe_update_vgaregs(s); - vga_update_memory_access(s); - break; - case VGA_CRT_IM: -@@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) - if (s->cr_index == VGA_CRTC_OVERFLOW) { - s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) | - (val & 0x10); -+ vbe_update_vgaregs(s); - } - return; - } - s->cr[s->cr_index] = val; -+ vbe_update_vgaregs(s); - - switch(s->cr_index) { - case VGA_CRTC_H_TOTAL: --- -2.7.4 - -- cgit v1.2.3-54-g00ecf