diff options
author | Armin Kuster <akuster@mvista.com> | 2016-09-19 18:02:55 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-23 23:21:43 +0100 |
commit | 8ce0ce8a229f8cb2b854e3b9619a9ad75d9b6fe4 (patch) | |
tree | c79d0e8253cbd5441d4127d270ce4f940a89bbf4 | |
parent | 15b6586ae64f745777ba5c42f4cf055aeeed83d8 (diff) | |
download | openembedded-core-8ce0ce8a229f8cb2b854e3b9619a9ad75d9b6fe4.tar.gz openembedded-core-8ce0ce8a229f8cb2b854e3b9619a9ad75d9b6fe4.tar.bz2 openembedded-core-8ce0ce8a229f8cb2b854e3b9619a9ad75d9b6fe4.zip |
qemu: Security Fix CVE-2016-3710
affects Qemu < 2.6.0
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch | 112 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.4.0.bb | 1 |
2 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch new file mode 100644 index 0000000000..d3cd52bd5f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch @@ -0,0 +1,112 @@ +From 4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 26 Apr 2016 08:49:10 +0200 +Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710) + +vga allows banked access to video memory using the window at 0xa00000 +and it supports a different access modes with different address +calculations. + +The VBE bochs extentions support banked access too, using the +VBE_DISPI_INDEX_BANK register. The code tries to take the different +address calculations into account and applies different limits to +VBE_DISPI_INDEX_BANK depending on the current access mode. + +Which is probably effective in stopping misprogramming by accident. +But from a security point of view completely useless as an attacker +can easily change access modes after setting the bank register. + +Drop the bogus check, add range checks to vga_mem_{readb,writeb} +instead. + +Fixes: CVE-2016-3710 +Reported-by: Qinghao Tang <luodalongde@gmail.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> + +Upstream-Status: Backport +CVE: CVE-2016-3710 +Signed-off-by: Armin Kuster <akuster@mvista.com> +--- + hw/display/vga.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 9f68394..442fee9 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -177,6 +177,7 @@ static void vga_update_memory_access(VGACommonState *s) + size = 0x8000; + break; + } ++ assert(offset + size <= s->vram_size); + memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram), + "vga.chain4", &s->vram, offset, size); + memory_region_add_subregion_overlap(s->legacy_address_space, base, +@@ -714,11 +715,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + vbe_fixup_regs(s); + break; + case VBE_DISPI_INDEX_BANK: +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- val &= (s->vbe_bank_mask >> 2); +- } else { +- val &= s->vbe_bank_mask; +- } ++ val &= s->vbe_bank_mask; + s->vbe_regs[s->vbe_index] = val; + s->bank_offset = (val << 16); + vga_update_memory_access(s); +@@ -817,13 +814,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr) + + if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ ++ assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; + } else if (s->gr[VGA_GFX_MODE] & 0x10) { + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); +- ret = s->vram_ptr[((addr & ~1) << 1) | plane]; ++ addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return 0xff; ++ } ++ ret = s->vram_ptr[addr]; + } else { + /* standard VGA latched access */ ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return 0xff; ++ } + s->latch = ((uint32_t *)s->vram_ptr)[addr]; + + if (!(s->gr[VGA_GFX_MODE] & 0x08)) { +@@ -880,6 +885,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + plane = addr & 3; + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); +@@ -893,6 +899,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { + addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return; ++ } + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr); +@@ -966,6 +975,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + mask = s->sr[VGA_SEQ_PLANE_WRITE]; + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return; ++ } + ((uint32_t *)s->vram_ptr)[addr] = + (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | + (val & write_mask); +-- +2.7.4 + diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb index 8d47b16e64..f32424200d 100644 --- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb @@ -20,6 +20,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://CVE-2015-7295_3.patch \ file://CVE-2016-2197.patch \ file://CVE-2016-2198.patch \ + file://CVE-2016-3710.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" |