[Qemu-commits] [qemu/qemu] 92f2b8: cirrus: add blit_is_unsafe call to cirrus_bitblt_c...

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 92f2b88cea48c6aeba8de568a45f2ed958f3c298
      
https://github.com/qemu/qemu/commit/92f2b88cea48c6aeba8de568a45f2ed958f3c298
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-24 (Fri, 24 Feb 2017)

  Changed paths:
    M hw/display/cirrus_vga.c

  Log Message:
  -----------
  cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)

CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all.  Oops.  Fix it.

Security impact: high.

The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 63f495beb4007de5444614125fd6fd178ca6e2b1
      
https://github.com/qemu/qemu/commit/63f495beb4007de5444614125fd6fd178ca6e2b1
  Author: Peter Maydell <address@hidden>
  Date:   2017-02-24 (Fri, 24 Feb 2017)

  Changed paths:
    M hw/display/cirrus_vga.c

  Log Message:
  -----------
  Merge remote-tracking branch 
'remotes/kraxel/tags/pull-cve-2017-2620-20170224-1' into staging

cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)

# gpg: Signature made Fri 24 Feb 2017 13:42:39 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-cve-2017-2620-20170224-1:
  cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/5842b55fd403...63f495beb400