diff --git a/SOURCES/kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch b/SOURCES/kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch new file mode 100644 index 0000000..993d0ae --- /dev/null +++ b/SOURCES/kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch @@ -0,0 +1,59 @@ +From 9397be4c801c71c84bc4ba6036efea32f5426c2e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 29 Apr 2016 07:02:46 +0200 +Subject: [PATCH 1/6] vga: Remove some "should be done in BIOS" comments + +RH-Author: Gerd Hoffmann +Message-id: <1461913371-3145-2-git-send-email-kraxel@redhat.com> +Patchwork-id: 70301 +O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 1/6] vga: Remove some "should be done in BIOS" comments +Bugzilla: 1331412 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Dr. David Alan Gilbert + +From: Benjamin Herrenschmidt + +Not all platforms have a VGA BIOS, powerpc typically relies on +using the DISPI interface to initialize the card. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Gerd Hoffmann +Reviewed-by: David Gibson +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 0761b9e..48dad03 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -764,14 +764,13 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED; + vbe_fixup_regs(s); + +- /* clear the screen (should be done in BIOS) */ ++ /* clear the screen */ + if (!(val & VBE_DISPI_NOCLEARMEM)) { + memset(s->vram_ptr, 0, + s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); + } + +- /* we initialize the VGA graphic mode (should be done +- in BIOS) */ ++ /* we initialize the VGA graphic mode */ + /* graphic mode + memory map 1 */ + s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | + VGA_GR06_GRAPHICS_MODE; +@@ -804,7 +803,6 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + (shift_control << 5); + s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ + } else { +- /* XXX: the bios should do that */ + s->bank_offset = 0; + } + s->dac_8bit = (val & VBE_DISPI_8BIT_DAC) > 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vga-add-vbe_enabled-helper.patch b/SOURCES/kvm-vga-add-vbe_enabled-helper.patch new file mode 100644 index 0000000..fb13245 --- /dev/null +++ b/SOURCES/kvm-vga-add-vbe_enabled-helper.patch @@ -0,0 +1,86 @@ +From 0f24daf4c35cace529ae8441aa8b101ba53660ea Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 29 Apr 2016 07:02:48 +0200 +Subject: [PATCH 3/6] vga: add vbe_enabled() helper + +RH-Author: Gerd Hoffmann +Message-id: <1461913371-3145-4-git-send-email-kraxel@redhat.com> +Patchwork-id: 70303 +O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 3/6] vga: add vbe_enabled() helper +Bugzilla: 1331412 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Dr. David Alan Gilbert + +Makes code a bit easier to read. + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index ba171ba..b694a26 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -166,6 +166,11 @@ static uint32_t expand4[256]; + static uint16_t expand2[256]; + static uint8_t expand4to8[16]; + ++static inline bool vbe_enabled(VGACommonState *s) ++{ ++ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; ++} ++ + static void vga_update_memory_access(VGACommonState *s) + { + MemoryRegion *region, *old_region = s->chain4_alias; +@@ -591,7 +596,7 @@ static void vbe_fixup_regs(VGACommonState *s) + uint16_t *r = s->vbe_regs; + uint32_t bits, linelength, maxy, offset; + +- if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { ++ if (!vbe_enabled(s)) { + /* vbe is turned off -- nothing to do */ + return; + } +@@ -775,7 +780,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + /* width */ + s->cr[VGA_CRTC_H_DISP] = + (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; +- /* height (only meaningful if < 1024) */ ++ /* height (only meaningful if < 1024) */ + h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; + s->cr[VGA_CRTC_V_DISP_END] = h; + s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | +@@ -1170,7 +1175,7 @@ static void vga_get_offsets(VGACommonState *s, + { + uint32_t start_addr, line_offset, line_compare; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + line_offset = s->vbe_line_offset; + start_addr = s->vbe_start_addr; + line_compare = 65535; +@@ -1623,7 +1628,7 @@ static int vga_get_bpp(VGACommonState *s) + { + int ret; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + ret = s->vbe_regs[VBE_DISPI_INDEX_BPP]; + } else { + ret = 0; +@@ -1635,7 +1640,7 @@ static void vga_get_resolution(VGACommonState *s, int *pwidth, int *pheight) + { + int width, height; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + width = s->vbe_regs[VBE_DISPI_INDEX_XRES]; + height = s->vbe_regs[VBE_DISPI_INDEX_YRES]; + } else { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vga-factor-out-vga-register-setup.patch b/SOURCES/kvm-vga-factor-out-vga-register-setup.patch new file mode 100644 index 0000000..4314346 --- /dev/null +++ b/SOURCES/kvm-vga-factor-out-vga-register-setup.patch @@ -0,0 +1,136 @@ +From c3eb11a92f0fa90fe2976c9c5ea59fe8ab862e77 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 29 Apr 2016 07:02:49 +0200 +Subject: [PATCH 4/6] vga: factor out vga register setup + +RH-Author: Gerd Hoffmann +Message-id: <1461913371-3145-5-git-send-email-kraxel@redhat.com> +Patchwork-id: 70304 +O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 4/6] vga: factor out vga register setup +Bugzilla: 1331412 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Dr. David Alan Gilbert + +When enabling vbe mode qemu will setup a bunch of vga registers to make +sure the vga emulation operates in correct mode for a linear +framebuffer. Move that code to a separate function so we can call it +from other places too. + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------ + 1 file changed, 44 insertions(+), 34 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index b694a26..4cc0df5 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -671,6 +671,49 @@ static void vbe_fixup_regs(VGACommonState *s) + s->vbe_start_addr = offset / 4; + } + ++/* we initialize the VGA graphic mode */ ++static void vbe_update_vgaregs(VGACommonState *s) ++{ ++ int h, shift_control; ++ ++ if (!vbe_enabled(s)) { ++ /* vbe is turned off -- nothing to do */ ++ return; ++ } ++ ++ /* graphic mode + memory map 1 */ ++ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | ++ VGA_GR06_GRAPHICS_MODE; ++ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ ++ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; ++ /* width */ ++ s->cr[VGA_CRTC_H_DISP] = ++ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; ++ /* height (only meaningful if < 1024) */ ++ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; ++ s->cr[VGA_CRTC_V_DISP_END] = h; ++ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | ++ ((h >> 7) & 0x02) | ((h >> 3) & 0x40); ++ /* line compare to 1023 */ ++ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; ++ s->cr[VGA_CRTC_OVERFLOW] |= 0x10; ++ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; ++ ++ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { ++ shift_control = 0; ++ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ ++ } else { ++ shift_control = 2; ++ /* set chain 4 mode */ ++ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; ++ /* activate all planes */ ++ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; ++ } ++ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | ++ (shift_control << 5); ++ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ ++} ++ + static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr) + { + VGACommonState *s = opaque; +@@ -757,52 +800,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + case VBE_DISPI_INDEX_ENABLE: + if ((val & VBE_DISPI_ENABLED) && + !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { +- int h, shift_control; + + s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0; + s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0; + s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0; + s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED; + vbe_fixup_regs(s); ++ vbe_update_vgaregs(s); + + /* clear the screen */ + if (!(val & VBE_DISPI_NOCLEARMEM)) { + memset(s->vram_ptr, 0, + s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); + } +- +- /* we initialize the VGA graphic mode */ +- /* graphic mode + memory map 1 */ +- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | +- VGA_GR06_GRAPHICS_MODE; +- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ +- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; +- /* width */ +- s->cr[VGA_CRTC_H_DISP] = +- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; +- /* height (only meaningful if < 1024) */ +- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; +- s->cr[VGA_CRTC_V_DISP_END] = h; +- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | +- ((h >> 7) & 0x02) | ((h >> 3) & 0x40); +- /* line compare to 1023 */ +- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; +- s->cr[VGA_CRTC_OVERFLOW] |= 0x10; +- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; +- +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- shift_control = 0; +- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ +- } else { +- shift_control = 2; +- /* set chain 4 mode */ +- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; +- /* activate all planes */ +- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; +- } +- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | +- (shift_control << 5); +- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ + } else { + s->bank_offset = 0; + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch b/SOURCES/kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch new file mode 100644 index 0000000..13fd623 --- /dev/null +++ b/SOURCES/kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch @@ -0,0 +1,109 @@ +From 73714beab12fec056f3b38a7c2bc35a520405953 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 29 Apr 2016 07:02:47 +0200 +Subject: [PATCH 2/6] vga: fix banked access bounds checking (CVE-2016-3710) + +RH-Author: Gerd Hoffmann +Message-id: <1461913371-3145-3-git-send-email-kraxel@redhat.com> +Patchwork-id: 70302 +O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 2/6] vga: fix banked access bounds checking (CVE-2016-3710) +Bugzilla: 1331412 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Dr. David Alan Gilbert + +vga allows banked access to video memory using the window at 0xa00000 +and it supports a different access modes with different address +calculations. + +The VBE bochs extentions support banked access too, using the +VBE_DISPI_INDEX_BANK register. The code tries to take the different +address calculations into account and applies different limits to +VBE_DISPI_INDEX_BANK depending on the current access mode. + +Which is probably effective in stopping misprogramming by accident. +But from a security point of view completely useless as an attacker +can easily change access modes after setting the bank register. + +Drop the bogus check, add range checks to vga_mem_{readb,writeb} +instead. + +Fixes: CVE-2016-3710 +Reported-by: Qinghao Tang +Signed-off-by: Gerd Hoffmann +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 48dad03..ba171ba 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -744,11 +744,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + vbe_fixup_regs(s); + break; + case VBE_DISPI_INDEX_BANK: +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- val &= (s->vbe_bank_mask >> 2); +- } else { +- val &= s->vbe_bank_mask; +- } ++ val &= s->vbe_bank_mask; + s->vbe_regs[s->vbe_index] = val; + s->bank_offset = (val << 16); + vga_update_memory_access(s); +@@ -847,13 +843,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr) + + if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ ++ assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; + } else if (s->gr[VGA_GFX_MODE] & 0x10) { + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); +- ret = s->vram_ptr[((addr & ~1) << 1) | plane]; ++ addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return 0xff; ++ } ++ ret = s->vram_ptr[addr]; + } else { + /* standard VGA latched access */ ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return 0xff; ++ } + s->latch = ((uint32_t *)s->vram_ptr)[addr]; + + if (!(s->gr[VGA_GFX_MODE] & 0x08)) { +@@ -910,6 +914,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + plane = addr & 3; + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); +@@ -923,6 +928,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { + addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return; ++ } + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr); +@@ -996,6 +1004,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + mask = s->sr[VGA_SEQ_PLANE_WRITE]; + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return; ++ } + ((uint32_t *)s->vram_ptr)[addr] = + (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | + (val & write_mask); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch b/SOURCES/kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch new file mode 100644 index 0000000..131c165 --- /dev/null +++ b/SOURCES/kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch @@ -0,0 +1,82 @@ +From d4916c5677937634c50737ac3caa9b6823789f4f Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 29 Apr 2016 07:02:51 +0200 +Subject: [PATCH 6/6] vga: make sure vga register setup for vbe stays intact. + +RH-Author: Gerd Hoffmann +Message-id: <1461913371-3145-7-git-send-email-kraxel@redhat.com> +Patchwork-id: 70306 +O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 6/6] vga: make sure vga register setup for vbe stays intact. +Bugzilla: 1331412 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Dr. David Alan Gilbert + +Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT +registers, to make sure the vga registers will always have the +values needed by vbe mode. This makes sure the sanity checks +applied by vbe_fixup_regs() are effective. + +Without this guests can muck with shift_control, can turn on planar +vga modes or text mode emulation while VBE is active, making qemu +take code paths meant for CGA compatibility, but with the very +large display widths and heigts settable using VBE registers. + +Which is good for one or another buffer overflow. Not that +critical as they typically read overflows happening somewhere +in the display code. So guests can DoS by crashing qemu with a +segfault, but it is probably not possible to break out of the VM. + +Reported-by: Zuozhi Fzz +Reported-by: P J P +Signed-off-by: Gerd Hoffmann +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index ee3c0c0..f049b26 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -166,6 +166,8 @@ static uint32_t expand4[256]; + static uint16_t expand2[256]; + static uint8_t expand4to8[16]; + ++static void vbe_update_vgaregs(VGACommonState *s); ++ + static inline bool vbe_enabled(VGACommonState *s) + { + return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; +@@ -511,6 +513,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; ++ vbe_update_vgaregs(s); + if (s->sr_index == VGA_SEQ_CLOCK_MODE) { + s->update_retrace_info(s); + } +@@ -542,6 +545,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); + #endif + s->gr[s->gr_index] = val & gr_mask[s->gr_index]; ++ vbe_update_vgaregs(s); + vga_update_memory_access(s); + break; + case VGA_CRT_IM: +@@ -560,10 +564,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + if (s->cr_index == VGA_CRTC_OVERFLOW) { + s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) | + (val & 0x10); ++ vbe_update_vgaregs(s); + } + return; + } + s->cr[s->cr_index] = val; ++ vbe_update_vgaregs(s); + + switch(s->cr_index) { + case VGA_CRTC_H_TOTAL: +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vga-update-vga-register-setup-on-vbe-changes.patch b/SOURCES/kvm-vga-update-vga-register-setup-on-vbe-changes.patch new file mode 100644 index 0000000..5c5a293 --- /dev/null +++ b/SOURCES/kvm-vga-update-vga-register-setup-on-vbe-changes.patch @@ -0,0 +1,38 @@ +From 1dfb069237e2ddf979407841a2907cd332017924 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 29 Apr 2016 07:02:50 +0200 +Subject: [PATCH 5/6] vga: update vga register setup on vbe changes + +RH-Author: Gerd Hoffmann +Message-id: <1461913371-3145-6-git-send-email-kraxel@redhat.com> +Patchwork-id: 70305 +O-Subject: [virt-devel] [RHEL-7.2.z qemu-kvm PATCH 5/6] vga: update vga register setup on vbe changes +Bugzilla: 1331412 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Dr. David Alan Gilbert + +Call the new vbe_update_vgaregs() function on vbe configuration +changes, to make sure vga registers are up-to-date. + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 4cc0df5..ee3c0c0 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -790,6 +790,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + case VBE_DISPI_INDEX_Y_OFFSET: + s->vbe_regs[s->vbe_index] = val; + vbe_fixup_regs(s); ++ vbe_update_vgaregs(s); + break; + case VBE_DISPI_INDEX_BANK: + val &= s->vbe_bank_mask; +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 5c683ef..08160d1 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a FAST! processor emulator Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 105%{?dist}.3 +Release: 105%{?dist}.4 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3169,6 +3169,18 @@ Patch1555: kvm-rbd-fix-ceph-settings-precedence.patch Patch1556: kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch # For bz#1298047 - CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-7.2.z] Patch1557: kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch +# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z] +Patch1558: kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch +# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z] +Patch1559: kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch +# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z] +Patch1560: kvm-vga-add-vbe_enabled-helper.patch +# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z] +Patch1561: kvm-vga-factor-out-vga-register-setup.patch +# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z] +Patch1562: kvm-vga-update-vga-register-setup-on-vbe-changes.patch +# For bz#1331412 - EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z] +Patch1563: kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch BuildRequires: zlib-devel @@ -4939,6 +4951,12 @@ cp %{SOURCE18} pc-bios # keep "make check" happy %patch1555 -p1 %patch1556 -p1 %patch1557 -p1 +%patch1558 -p1 +%patch1559 -p1 +%patch1560 -p1 +%patch1561 -p1 +%patch1562 -p1 +%patch1563 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -5395,6 +5413,16 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_libdir}/pkgconfig/libcacard.pc %changelog +* Tue May 03 2016 Miroslav Rezanina - 1.5.3-105.el7_2.4 +- kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch [bz#1331412] +- kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch [bz#1331412] +- kvm-vga-add-vbe_enabled-helper.patch [bz#1331412] +- kvm-vga-factor-out-vga-register-setup.patch [bz#1331412] +- kvm-vga-update-vga-register-setup-on-vbe-changes.patch [bz#1331412] +- kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch [bz#1331412] +- Resolves: bz#1331412 + (EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-7.2.z]) + * Thu Jan 21 2016 Miroslav Rezanina - 1.5.3-105.el7_2.3 - kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch [bz#1298047] - Resolves: bz#1298047