diff --git a/SOURCES/kvm-vga-add-ram_addr_t-cast.patch b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch new file mode 100644 index 0000000..bc09fa1 --- /dev/null +++ b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch @@ -0,0 +1,41 @@ +From 793f93597e16bbe37da8b0e884f9f17d1790b99a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 9 Apr 2018 13:27:35 +0200 +Subject: [PATCH 1/2] vga: add ram_addr_t cast + +RH-Author: Gerd Hoffmann +Message-id: <20180409132736.24598-2-kraxel@redhat.com> +Patchwork-id: 79513 +O-Subject: [RHEL-7.5 qemu-kvm PATCH 1/2] vga: add ram_addr_t cast +Bugzilla: 1567913 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: John Snow + +Reported by Coverity. + +Fixes: CID 1381409 +Signed-off-by: Gerd Hoffmann +Message-id: 20171010141323.14049-4-kraxel@redhat.com +(cherry picked from commit b0898b42ef099bc125db1fbf62b7f02b505ef3a2) +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 017e951..8e6c6d6 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1534,7 +1534,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + disp_width = width; + + region_start = (s->start_addr * 4); +- region_end = region_start + s->line_offset * height; ++ region_end = region_start + (ram_addr_t)s->line_offset * height; + if (region_end > s->vbe_size) { + /* wraps around (can happen with cirrus vbe modes) */ + region_start = 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vga-fix-region-calculation.patch b/SOURCES/kvm-vga-fix-region-calculation.patch new file mode 100644 index 0000000..099430e --- /dev/null +++ b/SOURCES/kvm-vga-fix-region-calculation.patch @@ -0,0 +1,47 @@ +From 3ed3904f7411bd5896aebdfcc6fe202dbfc2eef6 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 9 Apr 2018 13:27:36 +0200 +Subject: [PATCH 2/2] vga: fix region calculation + +RH-Author: Gerd Hoffmann +Message-id: <20180409132736.24598-3-kraxel@redhat.com> +Patchwork-id: 79512 +O-Subject: [RHEL-7.5 qemu-kvm PATCH 2/2] vga: fix region calculation +Bugzilla: 1567913 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: John Snow + +Typically the scanline length and the line offset are identical. But +in case they are not our calculation for region_end is incorrect. Using +line_offset is fine for all scanlines, except the last one where we have +to use the actual scanline length. + +Fixes: CVE-2018-7550 +Reported-by: Ross Lagerwall +Signed-off-by: Gerd Hoffmann +Reviewed-by: Prasad J Pandit +Tested-by: Ross Lagerwall +Message-id: 20180309143704.13420-1-kraxel@redhat.com +(cherry picked from commit 7cdc61becd095b64a786b2625f321624e7111f3d) +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 8e6c6d6..9270a75 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1535,6 +1535,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + + region_start = (s->start_addr * 4); + region_end = region_start + (ram_addr_t)s->line_offset * height; ++ region_end += width * s->get_bpp(s) / 8; /* scanline length */ ++ region_end -= s->line_offset; + if (region_end > s->vbe_size) { + /* wraps around (can happen with cirrus vbe modes) */ + region_start = 0; +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 11271e0..9513bd7 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 156%{?dist} +Release: 156%{?dist}.1 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3865,6 +3865,10 @@ Patch1903: kvm-ui-avoid-sign-extension-using-client-width-height.patch Patch1904: kvm-ui-correctly-advance-output-buffer-when-writing-SASL.patch # For bz#1518711 - CVE-2017-15268 qemu-kvm: Qemu: I/O: potential memory exhaustion via websock connection to VNC [rhel-7.5] Patch1905: kvm-io-skip-updates-to-client-if-websocket-output-buffer.patch +# For bz#1567913 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z] +Patch1906: kvm-vga-add-ram_addr_t-cast.patch +# For bz#1567913 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z] +Patch1907: kvm-vga-fix-region-calculation.patch BuildRequires: zlib-devel @@ -5948,6 +5952,8 @@ tar -xf %{SOURCE21} %patch1903 -p1 %patch1904 -p1 %patch1905 -p1 +%patch1906 -p1 +%patch1907 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6393,6 +6399,12 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog +* Mon Apr 16 2018 Miroslav Rezanina - 1.5.3-156.el7_5.1 +- kvm-vga-add-ram_addr_t-cast.patch [bz#1567913] +- kvm-vga-fix-region-calculation.patch [bz#1567913] +- Resolves: bz#1567913 + (CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]) + * Tue Feb 20 2018 Miroslav Rezanina - 1.5.3-156.el7 - kvm-vnc-Fix-qemu-crashed-when-vnc-client-disconnect-sudd.patch [bz#1527405] - kvm-fix-full-frame-updates-for-VNC-clients.patch [bz#1527405]