[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 4f0323: vga: fix banked access bounds checkin
From: |
GitHub |
Subject: |
[Qemu-commits] [qemu/qemu] 4f0323: vga: fix banked access bounds checking (CVE-2016-3... |
Date: |
Mon, 09 May 2016 12:30:06 -0700 |
Branch: refs/heads/stable-2.5
Home: https://github.com/qemu/qemu
Commit: 4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b
https://github.com/qemu/qemu/commit/4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b
Author: Gerd Hoffmann <address@hidden>
Date: 2016-05-08 (Sun, 08 May 2016)
Changed paths:
M hw/display/vga.c
Log Message:
-----------
vga: fix banked access bounds checking (CVE-2016-3710)
vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.
The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register. The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.
Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.
Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.
Fixes: CVE-2016-3710
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 46aff2c7e91ef9f372ad38ba5e90c42b9b27ac75
https://github.com/qemu/qemu/commit/46aff2c7e91ef9f372ad38ba5e90c42b9b27ac75
Author: Gerd Hoffmann <address@hidden>
Date: 2016-05-08 (Sun, 08 May 2016)
Changed paths:
M hw/display/vga.c
Log Message:
-----------
vga: add vbe_enabled() helper
Makes code a bit easier to read.
Signed-off-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 2f2f74e87c15e830f5a4dda7a166effcab5047ec
https://github.com/qemu/qemu/commit/2f2f74e87c15e830f5a4dda7a166effcab5047ec
Author: Gerd Hoffmann <address@hidden>
Date: 2016-05-08 (Sun, 08 May 2016)
Changed paths:
M hw/display/vga.c
Log Message:
-----------
vga: factor out vga register setup
When enabling vbe mode qemu will setup a bunch of vga registers to make
sure the vga emulation operates in correct mode for a linear
framebuffer. Move that code to a separate function so we can call it
from other places too.
Signed-off-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: a6e5e5dd4bbc022acbd10ebcf415a6a57418d09e
https://github.com/qemu/qemu/commit/a6e5e5dd4bbc022acbd10ebcf415a6a57418d09e
Author: Gerd Hoffmann <address@hidden>
Date: 2016-05-08 (Sun, 08 May 2016)
Changed paths:
M hw/display/vga.c
Log Message:
-----------
vga: update vga register setup on vbe changes
Call the new vbe_update_vgaregs() function on vbe configuration
changes, to make sure vga registers are up-to-date.
Signed-off-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 44b86aa32e4147c727fadd9a0f0bc503a5dedb72
https://github.com/qemu/qemu/commit/44b86aa32e4147c727fadd9a0f0bc503a5dedb72
Author: Gerd Hoffmann <address@hidden>
Date: 2016-05-08 (Sun, 08 May 2016)
Changed paths:
M hw/display/vga.c
Log Message:
-----------
vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
registers, to make sure the vga registers will always have the
values needed by vbe mode. This makes sure the sanity checks
applied by vbe_fixup_regs() are effective.
Without this guests can muck with shift_control, can turn on planar
vga modes or text mode emulation while VBE is active, making qemu
take code paths meant for CGA compatibility, but with the very
large display widths and heigts settable using VBE registers.
Which is good for one or another buffer overflow. Not that
critical as they typically read overflows happening somewhere
in the display code. So guests can DoS by crashing qemu with a
segfault, but it is probably not possible to break out of the VM.
Fixes: CVE-2016-3712
Reported-by: Zuozhi Fzz <address@hidden>
Reported-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 706bab670bab12dddca0318b402461013e412270
https://github.com/qemu/qemu/commit/706bab670bab12dddca0318b402461013e412270
Author: Gerd Hoffmann <address@hidden>
Date: 2016-05-08 (Sun, 08 May 2016)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
ehci: apply limit to iTD/sidt descriptors
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
DoS by the guest (create a circular iTD queue and let qemu ehci
emulation run in circles forever). Unfortunately this has two problems:
First it misses the case of siTDs, and second it reportedly breaks
FreeBSD.
So lets go for a different approach: just count the number of iTDs and
siTDs we have seen per frame and apply a limit. That should really
catch all cases now.
Reported-by: 杜少博 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 1ae3f2f178087711f9591350abad133525ba93f2)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0bcdb632f871fc5c80ded99e52445da35a8eaaa7
https://github.com/qemu/qemu/commit/0bcdb632f871fc5c80ded99e52445da35a8eaaa7
Author: Gerd Hoffmann <address@hidden>
Date: 2016-05-08 (Sun, 08 May 2016)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
Revert "ehci: make idt processing more robust"
This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254.
Breaks FreeBSD.
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit a49923d2837d20510d645d3758f1ad87c32d0730)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5b7236f7256974d9c0286fa4837aa5e15ef5c629
https://github.com/qemu/qemu/commit/5b7236f7256974d9c0286fa4837aa5e15ef5c629
Author: Michael S. Tsirkin <address@hidden>
Date: 2016-05-09 (Mon, 09 May 2016)
Changed paths:
M hw/char/cadence_uart.c
Log Message:
-----------
cadence_uart: bounds check write offset
cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes. However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.
This will corrupt QEMU memory, in most situations this causes the vm to
crash.
Fix by checking the offset against the array size.
Cc: address@hidden
Reported-by: 李强 <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 5eb0b194e9b01ba0f3613e6ddc2cb9f63ce96ae5)
Signed-off-by: Michael Roth <address@hidden>
Commit: db51dfc1fcaf0027a5f266b7def4317605848c6a
https://github.com/qemu/qemu/commit/db51dfc1fcaf0027a5f266b7def4317605848c6a
Author: Michael Roth <address@hidden>
Date: 2016-05-09 (Mon, 09 May 2016)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 2.5.1.1 release
Signed-off-by: Michael Roth <address@hidden
Compare: https://github.com/qemu/qemu/compare/a58047f7fbb0...db51dfc1fcaf
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 4f0323: vga: fix banked access bounds checking (CVE-2016-3...,
GitHub <=