[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen stable-4.3] vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).



commit c97c20f71240a538a19cb6b0e598bc1bbd5168f1
Author:     Gerd Hoffmann <kraxel@xxxxxxxxxx>
AuthorDate: Wed May 4 17:43:36 2016 +0100
Commit:     Anthony PERARD <anthony.perard@xxxxxxxxxx>
CommitDate: Tue May 10 11:52:12 2016 +0100

    vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
    
    Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
    registers, to make sure the vga registers will always have the
    values needed by vbe mode.  This makes sure the sanity checks
    applied by vbe_fixup_regs() are effective.
    
    Without this guests can muck with shift_control, can turn on planar
    vga modes or text mode emulation while VBE is active, making qemu
    take code paths meant for CGA compatibility, but with the very
    large display widths and heigts settable using VBE registers.
    
    Which is good for one or another buffer overflow.  Not that
    critical as they typically read overflows happening somewhere
    in the display code.  So guests can DoS by crashing qemu with a
    segfault, but it is probably not possible to break out of the VM.
    
    upstream-commit-id: fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7
    
    Fixes: CVE-2016-3712
    Reported-by: Zuozhi Fzz <zuozhi.fzz@xxxxxxxxxxxxxxx>
    Reported-by: P J P <ppandit@xxxxxxxxxx>
    Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
    Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
 hw/vga.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/vga.c b/hw/vga.c
index 1ac8083..17b389e 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -169,6 +169,8 @@ static uint8_t expand4to8[16];
 static void vga_screen_dump(void *opaque, const char *filename, bool cswitch,
                             Error **errp);
 
+static void vbe_update_vgaregs(VGACommonState *s);
+
 static inline bool vbe_enabled(VGACommonState *s)
 {
     return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
@@ -515,6 +517,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t 
val)
         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
 #endif
         s->sr[s->sr_index] = val & sr_mask[s->sr_index];
+        vbe_update_vgaregs(s);
         if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
             s->update_retrace_info(s);
         }
@@ -546,6 +549,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t 
val)
         printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
 #endif
         s->gr[s->gr_index] = val & gr_mask[s->gr_index];
+        vbe_update_vgaregs(s);
         vga_update_memory_access(s);
         break;
     case VGA_CRT_IM:
@@ -564,10 +568,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, 
uint32_t val)
             if (s->cr_index == VGA_CRTC_OVERFLOW) {
                 s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |
                     (val & 0x10);
+                vbe_update_vgaregs(s);
             }
             return;
         }
         s->cr[s->cr_index] = val;
+        vbe_update_vgaregs(s);
 
         switch(s->cr_index) {
         case VGA_CRTC_H_TOTAL:
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#stable-4.3

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.