diff options
| author | Thomas Penteker <tek@serverop.de> | 2016-05-27 13:44:09 +0200 |
|---|---|---|
| committer | Thomas Penteker <tek@serverop.de> | 2016-05-27 13:44:09 +0200 |
| commit | 2cabb33df9d95cff8eb94a873477427cba70cc64 (patch) | |
| tree | e599ed3dafce9e15d40d07d6acbec0406918f1cd /qemu | |
| parent | 3a1b8ae4a0bf1f90fc5a2857e2fba482072619f7 (diff) | |
| download | opt-2cabb33df9d95cff8eb94a873477427cba70cc64.tar.gz opt-2cabb33df9d95cff8eb94a873477427cba70cc64.tar.xz | |
[notify] qemu: fix several CVEs, patch taken from http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/commit/?id=f0208c9e
Diffstat (limited to 'qemu')
| -rw-r--r-- | qemu/.md5sum | 1 | ||||
| -rw-r--r-- | qemu/Pkgfile | 6 | ||||
| -rw-r--r-- | qemu/cve-2016-4020-4439-4441.diff | 294 |
3 files changed, 299 insertions, 2 deletions
diff --git a/qemu/.md5sum b/qemu/.md5sum index 263e4bc9a..6d028daca 100644 --- a/qemu/.md5sum +++ b/qemu/.md5sum @@ -1 +1,2 @@ +bae792f4cb7495f567390046a1ede1cb cve-2016-4020-4439-4441.diff ca3f70b43f093e33e9e014f144067f13 qemu-2.6.0.tar.bz2 diff --git a/qemu/Pkgfile b/qemu/Pkgfile index d048e95fb..c7cfa4b66 100644 --- a/qemu/Pkgfile +++ b/qemu/Pkgfile @@ -7,13 +7,15 @@ name=qemu version=2.6.0 -release=1 -source=(http://wiki.qemu.org/download/qemu-$version.tar.bz2) +release=2 +source=(http://wiki.qemu.org/download/qemu-$version.tar.bz2 cve-2016-4020-4439-4441.diff) build() { cd $name-$version + patch -p1 -i $SRC/cve-2016-4020-4439-4441.diff + ./configure --prefix=/usr \ --cc="${CC:=gcc}" \ --host-cc="${CC:=gcc}" \ diff --git a/qemu/cve-2016-4020-4439-4441.diff b/qemu/cve-2016-4020-4439-4441.diff new file mode 100644 index 000000000..e203e9e40 --- /dev/null +++ b/qemu/cve-2016-4020-4439-4441.diff @@ -0,0 +1,294 @@ +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) + CPUX86State *env = &cpu->env; + VAPICHandlers *handlers; + uint8_t opcode[2]; +- uint32_t imm32; ++ uint32_t imm32 = 0; + target_ulong current_pc = 0; + target_ulong current_cs_base = 0; + int current_flags = 0; +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- s->cmdbuf[s->cmdlen++] = val & 0xff; ++ if (s->cmdlen < TI_BUFSZ) { ++ s->cmdbuf[s->cmdlen++] = val & 0xff; ++ } else { ++ trace_esp_error_fifo_overrun(); ++ } + } else if (s->ti_size == TI_BUFSZ - 1) { + trace_esp_error_fifo_overrun(); + } else { +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) + } + } + +-static uint32_t get_cmd(ESPState *s, uint8_t *buf) ++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + { + uint32_t dmalen; + int target; +@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) + dmalen = s->rregs[ESP_TCLO]; + dmalen |= s->rregs[ESP_TCMID] << 8; + dmalen |= s->rregs[ESP_TCHI] << 16; ++ if (dmalen > buflen) { ++ return 0; ++ } + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; +@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) + s->dma_cb = handle_satn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) + do_cmd(s, buf); + } +@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) + s->dma_cb = handle_s_without_atn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) { + do_busid_cmd(s, buf, 0); + } +@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) + s->dma_cb = handle_satn_stop; + return; + } +- s->cmdlen = get_cmd(s, s->cmdbuf); ++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); + if (s->cmdlen) { + trace_esp_handle_satn_stop(s->cmdlen); + s->do_cmd = 1; +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s) + return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; + } + ++static inline uint8_t sr(VGACommonState *s, int idx) ++{ ++ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx]; ++} ++ + static void vga_update_memory_access(VGACommonState *s) + { + hwaddr base, offset, size; +@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s) + s->has_chain4_alias = false; + s->plane_updated = 0xf; + } +- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) == +- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) == ++ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + offset = 0; + switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) { + case 0: +@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s) + ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8); + vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf; + +- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1; ++ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1; + clock_sel = (s->msr >> 2) & 3; + dots = (s->msr & 1) ? 8 : 9; + +@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; +- vbe_update_vgaregs(s); + if (s->sr_index == VGA_SEQ_CLOCK_MODE) { + s->update_retrace_info(s); + } +@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s) + + if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { + shift_control = 0; +- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ ++ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ + } else { + shift_control = 2; + /* set chain 4 mode */ +- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; ++ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; + /* activate all planes */ +- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; ++ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; + } + s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | + (shift_control << 5); +@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr) + break; + } + +- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ + assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; +@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + break; + } + +- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ + plane = addr & 3; + mask = (1 << plane); +- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { + assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM +@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); + mask = (1 << plane); +- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { + addr = ((addr & ~1) << 1) | plane; + if (addr >= s->vram_size) { + return; +@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + + do_write: + /* mask data according to sr[2] */ +- mask = s->sr[VGA_SEQ_PLANE_WRITE]; ++ mask = sr(s, VGA_SEQ_PLANE_WRITE); + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; + if (addr * sizeof(uint32_t) >= s->vram_size) { +@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight + /* total width & height */ + cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; + cwidth = 8; +- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { ++ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { + cwidth = 9; + } +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { + cwidth = 16; /* NOTE: no 18 pixel wide */ + } + width = (s->cr[VGA_CRTC_H_DISP] + 1); +@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update) + int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); + + /* compute font data address (in plane 2) */ +- v = s->sr[VGA_SEQ_CHARACTER_MAP]; ++ v = sr(s, VGA_SEQ_CHARACTER_MAP); + offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2; + if (offset != s->font_offsets[0]) { + s->font_offsets[0] = offset; +@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + } + + if (shift_control == 0) { +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + disp_width <<= 1; + } + } else if (shift_control == 1) { +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + disp_width <<= 1; + } + } +@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + + if (shift_control == 0) { + full_update |= update_palette16(s); +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + v = VGA_DRAW_LINE4D2; + } else { + v = VGA_DRAW_LINE4; +@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + bits = 4; + } else if (shift_control == 1) { + full_update |= update_palette16(s); +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + v = VGA_DRAW_LINE2D2; + } else { + v = VGA_DRAW_LINE2; +@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + #if 0 + printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", + width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], +- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]); ++ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); + #endif + addr1 = (s->start_addr * 4); + bwidth = (width * bits + 7) / 8; +@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s) + { + s->sr_index = 0; + memset(s->sr, '\0', sizeof(s->sr)); ++ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe)); + s->gr_index = 0; + memset(s->gr, '\0', sizeof(s->gr)); + s->ar_index = 0; +@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata) + /* total width & height */ + cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; + cw = 8; +- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { ++ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { + cw = 9; + } +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { + cw = 16; /* NOTE: no 18 pixel wide */ + } + width = (s->cr[VGA_CRTC_H_DISP] + 1); +@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id) + + /* force refresh */ + s->graphic_mode = -1; ++ vbe_update_vgaregs(s); + return 0; + } + +--- a/hw/display/vga_int.h ++++ b/hw/display/vga_int.h +@@ -98,6 +98,7 @@ typedef struct VGACommonState { + MemoryRegion chain4_alias; + uint8_t sr_index; + uint8_t sr[256]; ++ uint8_t sr_vbe[256]; + uint8_t gr_index; + uint8_t gr[256]; + uint8_t ar_index; +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -1114,10 +1114,14 @@ static void machvirt_init(MachineState *machine) + * KVM is not available yet + */ + if (!gic_version) { ++ if (!kvm_enabled()) { ++ error_report("gic-version=host requires KVM"); ++ exit(1); ++ } ++ + gic_version = kvm_arm_vgic_probe(); + if (!gic_version) { + error_report("Unable to determine GIC version supported by host"); +- error_printf("KVM acceleration is probably not supported\n"); + exit(1); + } + } |