qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 3bf181: vga: fix banked access bounds checkin

From: GitHub
Subject: [Qemu-commits] [qemu/qemu] 3bf181: vga: fix banked access bounds checking (CVE-2016-3...
Date: Mon, 09 May 2016 06:30:09 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e
      
https://github.com/qemu/qemu/commit/3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-05-02 (Mon, 02 May 2016)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vga: fix banked access bounds checking (CVE-2016-3710)

vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.

The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register.  The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.

Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.

Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.

Fixes: CVE-2016-3710
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: bfa0f151a564a83b5a26f3e917da98674bf3cf62
      
https://github.com/qemu/qemu/commit/bfa0f151a564a83b5a26f3e917da98674bf3cf62
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-05-02 (Mon, 02 May 2016)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vga: add vbe_enabled() helper

Makes code a bit easier to read.

Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 7fa5c2c5dc9f9bf878c1e8669eb9644d70a71e71
      
https://github.com/qemu/qemu/commit/7fa5c2c5dc9f9bf878c1e8669eb9644d70a71e71
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-05-02 (Mon, 02 May 2016)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vga: factor out vga register setup

When enabling vbe mode qemu will setup a bunch of vga registers to make
sure the vga emulation operates in correct mode for a linear
framebuffer.  Move that code to a separate function so we can call it
from other places too.

Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 2068192dcccd8a80dddfcc8df6164cf9c26e0fc4
      
https://github.com/qemu/qemu/commit/2068192dcccd8a80dddfcc8df6164cf9c26e0fc4
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-05-02 (Mon, 02 May 2016)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vga: update vga register setup on vbe changes

Call the new vbe_update_vgaregs() function on vbe configuration
changes, to make sure vga registers are up-to-date.

Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7
      
https://github.com/qemu/qemu/commit/fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-05-02 (Mon, 02 May 2016)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).

Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
registers, to make sure the vga registers will always have the
values needed by vbe mode.  This makes sure the sanity checks
applied by vbe_fixup_regs() are effective.

Without this guests can muck with shift_control, can turn on planar
vga modes or text mode emulation while VBE is active, making qemu
take code paths meant for CGA compatibility, but with the very
large display widths and heigts settable using VBE registers.

Which is good for one or another buffer overflow.  Not that
critical as they typically read overflows happening somewhere
in the display code.  So guests can DoS by crashing qemu with a
segfault, but it is probably not possible to break out of the VM.

Fixes: CVE-2016-3712
Reported-by: Zuozhi Fzz <address@hidden>
Reported-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 53db932604dfa7bb9241d132e0173894cf54261c
      
https://github.com/qemu/qemu/commit/53db932604dfa7bb9241d132e0173894cf54261c
  Author: Peter Maydell <address@hidden>
  Date:   2016-05-09 (Mon, 09 May 2016)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160509-1' into 
staging

vga security fixes (CVE-2016-3710, CVE-2016-3712)

# gpg: Signature made Mon 09 May 2016 13:39:30 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"

* remotes/kraxel/tags/pull-vga-20160509-1:
  vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
  vga: update vga register setup on vbe changes
  vga: factor out vga register setup
  vga: add vbe_enabled() helper
  vga: fix banked access bounds checking (CVE-2016-3710)

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/975eb6a547f8...53db932604df
reply via email to
[Prev in Thread] Current Thread [Next in Thread]