1. 12 5月, 2016 23 次提交
  2. 11 5月, 2016 1 次提交
  3. 09 5月, 2016 2 次提交
  4. 03 5月, 2016 2 次提交
  5. 02 5月, 2016 7 次提交
    • G
      vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). · fd3c136b
      Gerd Hoffmann 提交于
      Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
      registers, to make sure the vga registers will always have the
      values needed by vbe mode.  This makes sure the sanity checks
      applied by vbe_fixup_regs() are effective.
      
      Without this guests can muck with shift_control, can turn on planar
      vga modes or text mode emulation while VBE is active, making qemu
      take code paths meant for CGA compatibility, but with the very
      large display widths and heigts settable using VBE registers.
      
      Which is good for one or another buffer overflow.  Not that
      critical as they typically read overflows happening somewhere
      in the display code.  So guests can DoS by crashing qemu with a
      segfault, but it is probably not possible to break out of the VM.
      
      Fixes: CVE-2016-3712
      Reported-by: NZuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
      Reported-by: NP J P <ppandit@redhat.com>
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      fd3c136b
    • G
      vga: update vga register setup on vbe changes · 2068192d
      Gerd Hoffmann 提交于
      Call the new vbe_update_vgaregs() function on vbe configuration
      changes, to make sure vga registers are up-to-date.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      2068192d
    • G
      vga: factor out vga register setup · 7fa5c2c5
      Gerd Hoffmann 提交于
      When enabling vbe mode qemu will setup a bunch of vga registers to make
      sure the vga emulation operates in correct mode for a linear
      framebuffer.  Move that code to a separate function so we can call it
      from other places too.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      7fa5c2c5
    • G
      vga: add vbe_enabled() helper · bfa0f151
      Gerd Hoffmann 提交于
      Makes code a bit easier to read.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      bfa0f151
    • G
      vga: fix banked access bounds checking (CVE-2016-3710) · 3bf18170
      Gerd Hoffmann 提交于
      vga allows banked access to video memory using the window at 0xa00000
      and it supports a different access modes with different address
      calculations.
      
      The VBE bochs extentions support banked access too, using the
      VBE_DISPI_INDEX_BANK register.  The code tries to take the different
      address calculations into account and applies different limits to
      VBE_DISPI_INDEX_BANK depending on the current access mode.
      
      Which is probably effective in stopping misprogramming by accident.
      But from a security point of view completely useless as an attacker
      can easily change access modes after setting the bank register.
      
      Drop the bogus check, add range checks to vga_mem_{readb,writeb}
      instead.
      
      Fixes: CVE-2016-3710
      Reported-by: NQinghao Tang <luodalongde@gmail.com>
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      3bf18170
    • J
      configure: Check if struct fsxattr is available from linux header · 277abf15
      Jan Vesely 提交于
      Fixes build failure with --enable-xfsctl and
      new linux headers (>=4.5) and older xfsprogs(<4.5):
      In file included from /usr/include/xfs/xfs.h:38:0,
                       from /var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:97:
      /usr/include/xfs/xfs_fs.h:42:8: error: redefinition of ‘struct fsxattr’
       struct fsxattr {
              ^
      In file included from /var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:60:0:
      /usr/include/linux/fs.h:155:8: note: originally defined here
       struct fsxattr {
      
      This is really a bug in the system headers, but we can work around it
      by defining HAVE_FSXATTR in the QEMU headers if linux/fs.h provides
      the struct, so that xfs_fs.h doesn't try to define it as well.
      
      CC: qemu-trivial@nongnu.org
      CC: Markus Armbruster <armbru@redhat.com>
      CC: Peter Maydell <peter.maydell@linaro.org>
      CC: Stefan Weil <sw@weilnetz.de>
      Tested-by: NStefan Weil <sw@weilnetz.de>
      Signed-off-by: NJan Vesely <jano.vesely@gmail.com>
      [PMM: adjusted commit message, comments]
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      277abf15
    • P
      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging · 20b0f5fe
      Peter Maydell 提交于
      acpi: last minute fix for 2.6
      
      Minor, obvious fix only affecting BE hosts.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      
      # gpg: Signature made Sun 01 May 2016 13:43:28 BST using RSA key ID D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
      # gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
      
      * remotes/mst/tags/for_upstream:
        acpi: fix bios linker loadder COMMAND_ALLOCATE on bigendian host
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      20b0f5fe
  6. 01 5月, 2016 1 次提交
  7. 29 4月, 2016 4 次提交