From ea62893915678119070eaec78322ed2e34edd21f Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Mon, 19 Sep 2016 18:12:42 -0700 Subject: qemu: Security Fix CVE-2016-3712 affects qemu < 2.6.0 (From OE-Core rev: ed78691a46a3c928297ae166e92fabdffa9e53c9) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../qemu/qemu/CVE-2016-3712_p4.patch | 80 ++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch') diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch new file mode 100644 index 0000000000..96e980a58d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p4.patch @@ -0,0 +1,80 @@ +From 44b86aa32e4147c727fadd9a0f0bc503a5dedb72 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 26 Apr 2016 14:48:06 +0200 +Subject: [PATCH 4/4] vga: make sure vga register setup for vbe stays intact + (CVE-2016-3712). + +Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT +registers, to make sure the vga registers will always have the +values needed by vbe mode. This makes sure the sanity checks +applied by vbe_fixup_regs() are effective. + +Without this guests can muck with shift_control, can turn on planar +vga modes or text mode emulation while VBE is active, making qemu +take code paths meant for CGA compatibility, but with the very +large display widths and heigts settable using VBE registers. + +Which is good for one or another buffer overflow. Not that +critical as they typically read overflows happening somewhere +in the display code. So guests can DoS by crashing qemu with a +segfault, but it is probably not possible to break out of the VM. + +Fixes: CVE-2016-3712 +Reported-by: Zuozhi Fzz +Reported-by: P J P +Signed-off-by: Gerd Hoffmann +Signed-off-by: Michael Roth + +Upstream-Status: Backport +CVE: CVE-2016-3712 patch4 ( the fix) +Signed-off-by: Armin Kuster + +--- + hw/display/vga.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 10ac7df..679070e 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -140,6 +140,8 @@ static uint32_t expand4[256]; + static uint16_t expand2[256]; + static uint8_t expand4to8[16]; + ++static void vbe_update_vgaregs(VGACommonState *s); ++ + static inline bool vbe_enabled(VGACommonState *s) + { + return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; +@@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; ++ vbe_update_vgaregs(s); + if (s->sr_index == VGA_SEQ_CLOCK_MODE) { + s->update_retrace_info(s); + } +@@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); + #endif + s->gr[s->gr_index] = val & gr_mask[s->gr_index]; ++ vbe_update_vgaregs(s); + vga_update_memory_access(s); + break; + case VGA_CRT_IM: +@@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + if (s->cr_index == VGA_CRTC_OVERFLOW) { + s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) | + (val & 0x10); ++ vbe_update_vgaregs(s); + } + return; + } + s->cr[s->cr_index] = val; ++ vbe_update_vgaregs(s); + + switch(s->cr_index) { + case VGA_CRTC_H_TOTAL: +-- +2.7.4 + -- cgit v1.2.3-54-g00ecf