diff --git a/SOURCES/kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch b/SOURCES/kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch
new file mode 100644
index 0000000..993d0ae
--- /dev/null
+++ b/SOURCES/kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch
@@ -0,0 +1,59 @@
+From 9397be4c801c71c84bc4ba6036efea32f5426c2e Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 29 Apr 2016 07:02:46 +0200
+Subject: [PATCH 1/6] vga: Remove some "should be done in BIOS" comments
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1461913371-3145-2-git-send-email-kraxel@redhat.com>
+Patchwork-id: 70301
+O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 1/6] vga: Remove some "should be done in BIOS" comments
+Bugzilla: 1331412
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+Not all platforms have a VGA BIOS, powerpc typically relies on
+using the DISPI interface to initialize the card.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 0761b9e..48dad03 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -764,14 +764,13 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+ s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED;
+ vbe_fixup_regs(s);
+
+- /* clear the screen (should be done in BIOS) */
++ /* clear the screen */
+ if (!(val & VBE_DISPI_NOCLEARMEM)) {
+ memset(s->vram_ptr, 0,
+ s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset);
+ }
+
+- /* we initialize the VGA graphic mode (should be done
+- in BIOS) */
++ /* we initialize the VGA graphic mode */
+ /* graphic mode + memory map 1 */
+ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
+ VGA_GR06_GRAPHICS_MODE;
+@@ -804,7 +803,6 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+ (shift_control << 5);
+ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
+ } else {
+- /* XXX: the bios should do that */
+ s->bank_offset = 0;
+ }
+ s->dac_8bit = (val & VBE_DISPI_8BIT_DAC) > 0;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-add-vbe_enabled-helper.patch b/SOURCES/kvm-vga-add-vbe_enabled-helper.patch
new file mode 100644
index 0000000..fb13245
--- /dev/null
+++ b/SOURCES/kvm-vga-add-vbe_enabled-helper.patch
@@ -0,0 +1,86 @@
+From 0f24daf4c35cace529ae8441aa8b101ba53660ea Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 29 Apr 2016 07:02:48 +0200
+Subject: [PATCH 3/6] vga: add vbe_enabled() helper
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1461913371-3145-4-git-send-email-kraxel@redhat.com>
+Patchwork-id: 70303
+O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 3/6] vga: add vbe_enabled() helper
+Bugzilla: 1331412
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Makes code a bit easier to read.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index ba171ba..b694a26 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -166,6 +166,11 @@ static uint32_t expand4[256];
+ static uint16_t expand2[256];
+ static uint8_t expand4to8[16];
+
++static inline bool vbe_enabled(VGACommonState *s)
++{
++ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
++}
++
+ static void vga_update_memory_access(VGACommonState *s)
+ {
+ MemoryRegion *region, *old_region = s->chain4_alias;
+@@ -591,7 +596,7 @@ static void vbe_fixup_regs(VGACommonState *s)
+ uint16_t *r = s->vbe_regs;
+ uint32_t bits, linelength, maxy, offset;
+
+- if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
++ if (!vbe_enabled(s)) {
+ /* vbe is turned off -- nothing to do */
+ return;
+ }
+@@ -775,7 +780,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+ /* width */
+ s->cr[VGA_CRTC_H_DISP] =
+ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
+- /* height (only meaningful if < 1024) */
++ /* height (only meaningful if < 1024) */
+ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
+ s->cr[VGA_CRTC_V_DISP_END] = h;
+ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
+@@ -1170,7 +1175,7 @@ static void vga_get_offsets(VGACommonState *s,
+ {
+ uint32_t start_addr, line_offset, line_compare;
+
+- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++ if (vbe_enabled(s)) {
+ line_offset = s->vbe_line_offset;
+ start_addr = s->vbe_start_addr;
+ line_compare = 65535;
+@@ -1623,7 +1628,7 @@ static int vga_get_bpp(VGACommonState *s)
+ {
+ int ret;
+
+- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++ if (vbe_enabled(s)) {
+ ret = s->vbe_regs[VBE_DISPI_INDEX_BPP];
+ } else {
+ ret = 0;
+@@ -1635,7 +1640,7 @@ static void vga_get_resolution(VGACommonState *s, int *pwidth, int *pheight)
+ {
+ int width, height;
+
+- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++ if (vbe_enabled(s)) {
+ width = s->vbe_regs[VBE_DISPI_INDEX_XRES];
+ height = s->vbe_regs[VBE_DISPI_INDEX_YRES];
+ } else {
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-factor-out-vga-register-setup.patch b/SOURCES/kvm-vga-factor-out-vga-register-setup.patch
new file mode 100644
index 0000000..4314346
--- /dev/null
+++ b/SOURCES/kvm-vga-factor-out-vga-register-setup.patch
@@ -0,0 +1,136 @@
+From c3eb11a92f0fa90fe2976c9c5ea59fe8ab862e77 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 29 Apr 2016 07:02:49 +0200
+Subject: [PATCH 4/6] vga: factor out vga register setup
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1461913371-3145-5-git-send-email-kraxel@redhat.com>
+Patchwork-id: 70304
+O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 4/6] vga: factor out vga register setup
+Bugzilla: 1331412
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+When enabling vbe mode qemu will setup a bunch of vga registers to make
+sure the vga emulation operates in correct mode for a linear
+framebuffer. Move that code to a separate function so we can call it
+from other places too.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 44 insertions(+), 34 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index b694a26..4cc0df5 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -671,6 +671,49 @@ static void vbe_fixup_regs(VGACommonState *s)
+ s->vbe_start_addr = offset / 4;
+ }
+
++/* we initialize the VGA graphic mode */
++static void vbe_update_vgaregs(VGACommonState *s)
++{
++ int h, shift_control;
++
++ if (!vbe_enabled(s)) {
++ /* vbe is turned off -- nothing to do */
++ return;
++ }
++
++ /* graphic mode + memory map 1 */
++ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
++ VGA_GR06_GRAPHICS_MODE;
++ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
++ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
++ /* width */
++ s->cr[VGA_CRTC_H_DISP] =
++ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
++ /* height (only meaningful if < 1024) */
++ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
++ s->cr[VGA_CRTC_V_DISP_END] = h;
++ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
++ ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
++ /* line compare to 1023 */
++ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
++ s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
++ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
++
++ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
++ shift_control = 0;
++ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
++ } else {
++ shift_control = 2;
++ /* set chain 4 mode */
++ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
++ /* activate all planes */
++ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
++ }
++ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
++ (shift_control << 5);
++ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
++}
++
+ static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr)
+ {
+ VGACommonState *s = opaque;
+@@ -757,52 +800,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+ case VBE_DISPI_INDEX_ENABLE:
+ if ((val & VBE_DISPI_ENABLED) &&
+ !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
+- int h, shift_control;
+
+ s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0;
+ s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0;
+ s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0;
+ s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED;
+ vbe_fixup_regs(s);
++ vbe_update_vgaregs(s);
+
+ /* clear the screen */
+ if (!(val & VBE_DISPI_NOCLEARMEM)) {
+ memset(s->vram_ptr, 0,
+ s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset);
+ }
+-
+- /* we initialize the VGA graphic mode */
+- /* graphic mode + memory map 1 */
+- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
+- VGA_GR06_GRAPHICS_MODE;
+- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
+- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
+- /* width */
+- s->cr[VGA_CRTC_H_DISP] =
+- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
+- /* height (only meaningful if < 1024) */
+- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
+- s->cr[VGA_CRTC_V_DISP_END] = h;
+- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
+- ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
+- /* line compare to 1023 */
+- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
+- s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
+- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
+-
+- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+- shift_control = 0;
+- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
+- } else {
+- shift_control = 2;
+- /* set chain 4 mode */
+- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+- /* activate all planes */
+- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
+- }
+- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
+- (shift_control << 5);
+- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
+ } else {
+ s->bank_offset = 0;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch b/SOURCES/kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
new file mode 100644
index 0000000..13fd623
--- /dev/null
+++ b/SOURCES/kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
@@ -0,0 +1,109 @@
+From 73714beab12fec056f3b38a7c2bc35a520405953 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 29 Apr 2016 07:02:47 +0200
+Subject: [PATCH 2/6] vga: fix banked access bounds checking (CVE-2016-3710)
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1461913371-3145-3-git-send-email-kraxel@redhat.com>
+Patchwork-id: 70302
+O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 2/6] vga: fix banked access bounds checking (CVE-2016-3710)
+Bugzilla: 1331412
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+vga allows banked access to video memory using the window at 0xa00000
+and it supports a different access modes with different address
+calculations.
+
+The VBE bochs extentions support banked access too, using the
+VBE_DISPI_INDEX_BANK register. The code tries to take the different
+address calculations into account and applies different limits to
+VBE_DISPI_INDEX_BANK depending on the current access mode.
+
+Which is probably effective in stopping misprogramming by accident.
+But from a security point of view completely useless as an attacker
+can easily change access modes after setting the bank register.
+
+Drop the bogus check, add range checks to vga_mem_{readb,writeb}
+instead.
+
+Fixes: CVE-2016-3710
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 48dad03..ba171ba 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -744,11 +744,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+ vbe_fixup_regs(s);
+ break;
+ case VBE_DISPI_INDEX_BANK:
+- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+- val &= (s->vbe_bank_mask >> 2);
+- } else {
+- val &= s->vbe_bank_mask;
+- }
++ val &= s->vbe_bank_mask;
+ s->vbe_regs[s->vbe_index] = val;
+ s->bank_offset = (val << 16);
+ vga_update_memory_access(s);
+@@ -847,13 +843,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
+
+ if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+ /* chain 4 mode : simplest access */
++ assert(addr < s->vram_size);
+ ret = s->vram_ptr[addr];
+ } else if (s->gr[VGA_GFX_MODE] & 0x10) {
+ /* odd/even mode (aka text mode mapping) */
+ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
+- ret = s->vram_ptr[((addr & ~1) << 1) | plane];
++ addr = ((addr & ~1) << 1) | plane;
++ if (addr >= s->vram_size) {
++ return 0xff;
++ }
++ ret = s->vram_ptr[addr];
+ } else {
+ /* standard VGA latched access */
++ if (addr * sizeof(uint32_t) >= s->vram_size) {
++ return 0xff;
++ }
+ s->latch = ((uint32_t *)s->vram_ptr)[addr];
+
+ if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
+@@ -910,6 +914,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+ plane = addr & 3;
+ mask = (1 << plane);
+ if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
++ assert(addr < s->vram_size);
+ s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+ printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
+@@ -923,6 +928,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+ mask = (1 << plane);
+ if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+ addr = ((addr & ~1) << 1) | plane;
++ if (addr >= s->vram_size) {
++ return;
++ }
+ s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+ printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
+@@ -996,6 +1004,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+ mask = s->sr[VGA_SEQ_PLANE_WRITE];
+ s->plane_updated |= mask; /* only used to detect font change */
+ write_mask = mask16[mask];
++ if (addr * sizeof(uint32_t) >= s->vram_size) {
++ return;
++ }
+ ((uint32_t *)s->vram_ptr)[addr] =
+ (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) |
+ (val & write_mask);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch b/SOURCES/kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
new file mode 100644
index 0000000..131c165
--- /dev/null
+++ b/SOURCES/kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
@@ -0,0 +1,82 @@
+From d4916c5677937634c50737ac3caa9b6823789f4f Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 29 Apr 2016 07:02:51 +0200
+Subject: [PATCH 6/6] vga: make sure vga register setup for vbe stays intact.
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1461913371-3145-7-git-send-email-kraxel@redhat.com>
+Patchwork-id: 70306
+O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 6/6] vga: make sure vga register setup for vbe stays intact.
+Bugzilla: 1331412
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
+registers, to make sure the vga registers will always have the
+values needed by vbe mode. This makes sure the sanity checks
+applied by vbe_fixup_regs() are effective.
+
+Without this guests can muck with shift_control, can turn on planar
+vga modes or text mode emulation while VBE is active, making qemu
+take code paths meant for CGA compatibility, but with the very
+large display widths and heigts settable using VBE registers.
+
+Which is good for one or another buffer overflow. Not that
+critical as they typically read overflows happening somewhere
+in the display code. So guests can DoS by crashing qemu with a
+segfault, but it is probably not possible to break out of the VM.
+
+Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
+Reported-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index ee3c0c0..f049b26 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -166,6 +166,8 @@ static uint32_t expand4[256];
+ static uint16_t expand2[256];
+ static uint8_t expand4to8[16];
+
++static void vbe_update_vgaregs(VGACommonState *s);
++
+ static inline bool vbe_enabled(VGACommonState *s)
+ {
+ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
+@@ -511,6 +513,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+ printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
+ #endif
+ s->sr[s->sr_index] = val & sr_mask[s->sr_index];
++ vbe_update_vgaregs(s);
+ if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
+ s->update_retrace_info(s);
+ }
+@@ -542,6 +545,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+ printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
+ #endif
+ s->gr[s->gr_index] = val & gr_mask[s->gr_index];
++ vbe_update_vgaregs(s);
+ vga_update_memory_access(s);
+ break;
+ case VGA_CRT_IM:
+@@ -560,10 +564,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+ if (s->cr_index == VGA_CRTC_OVERFLOW) {
+ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |
+ (val & 0x10);
++ vbe_update_vgaregs(s);
+ }
+ return;
+ }
+ s->cr[s->cr_index] = val;
++ vbe_update_vgaregs(s);
+
+ switch(s->cr_index) {
+ case VGA_CRTC_H_TOTAL:
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-update-vga-register-setup-on-vbe-changes.patch b/SOURCES/kvm-vga-update-vga-register-setup-on-vbe-changes.patch
new file mode 100644
index 0000000..5c5a293
--- /dev/null
+++ b/SOURCES/kvm-vga-update-vga-register-setup-on-vbe-changes.patch
@@ -0,0 +1,38 @@
+From 1dfb069237e2ddf979407841a2907cd332017924 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 29 Apr 2016 07:02:50 +0200
+Subject: [PATCH 5/6] vga: update vga register setup on vbe changes
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1461913371-3145-6-git-send-email-kraxel@redhat.com>
+Patchwork-id: 70305
+O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 5/6] vga: update vga register setup on vbe changes
+Bugzilla: 1331412
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Call the new vbe_update_vgaregs() function on vbe configuration
+changes, to make sure vga registers are up-to-date.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 4cc0df5..ee3c0c0 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -790,6 +790,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+ case VBE_DISPI_INDEX_Y_OFFSET:
+ s->vbe_regs[s->vbe_index] = val;
+ vbe_fixup_regs(s);
++ vbe_update_vgaregs(s);
+ break;
+ case VBE_DISPI_INDEX_BANK:
+ val &= s->vbe_bank_mask;
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 5c683ef..08160d1 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \
Summary: QEMU is a FAST! processor emulator
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 105%{?dist}.3
+Release: 105%{?dist}.4
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2+ and LGPLv2+ and BSD
@@ -3169,6 +3169,18 @@ Patch1555: kvm-rbd-fix-ceph-settings-precedence.patch
Patch1556: kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
# For bz#1298047 - CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-7.2.z]
Patch1557: kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch
+# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z]
+Patch1558: kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch
+# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z]
+Patch1559: kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
+# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z]
+Patch1560: kvm-vga-add-vbe_enabled-helper.patch
+# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z]
+Patch1561: kvm-vga-factor-out-vga-register-setup.patch
+# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z]
+Patch1562: kvm-vga-update-vga-register-setup-on-vbe-changes.patch
+# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z]
+Patch1563: kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
BuildRequires: zlib-devel
@@ -4939,6 +4951,12 @@ cp %{SOURCE18} pc-bios # keep "make check" happy
%patch1555 -p1
%patch1556 -p1
%patch1557 -p1
+%patch1558 -p1
+%patch1559 -p1
+%patch1560 -p1
+%patch1561 -p1
+%patch1562 -p1
+%patch1563 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -5395,6 +5413,16 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_libdir}/pkgconfig/libcacard.pc
%changelog
+* Tue May 03 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-105.el7_2.4
+- kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch [bz#1331412]
+- kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch [bz#1331412]
+- kvm-vga-add-vbe_enabled-helper.patch [bz#1331412]
+- kvm-vga-factor-out-vga-register-setup.patch [bz#1331412]
+- kvm-vga-update-vga-register-setup-on-vbe-changes.patch [bz#1331412]
+- kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch [bz#1331412]
+- Resolves: bz#1331412
+ (EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z])
+
* Thu Jan 21 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-105.el7_2.3
- kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch [bz#1298047]
- Resolves: bz#1298047