<feed xmlns='http://www.w3.org/2005/Atom'>
<title>qemu/qemu.git, branch stable-2.5</title>
<subtitle>QEMU main repository</subtitle>
<id>https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/atom?h=stable-2.5</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/atom?h=stable-2.5'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/'/>
<updated>2016-05-09T16:55:58+00:00</updated>
<entry>
<title>Update version for 2.5.1.1 release</title>
<updated>2016-05-09T16:55:58+00:00</updated>
<author>
<name>Michael Roth</name>
<email>mdroth@linux.vnet.ibm.com</email>
</author>
<published>2016-05-09T16:10:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=db51dfc1fcaf0027a5f266b7def4317605848c6a'/>
<id>urn:sha1:db51dfc1fcaf0027a5f266b7def4317605848c6a</id>
<content type='text'>
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com
</content>
</entry>
<entry>
<title>cadence_uart: bounds check write offset</title>
<updated>2016-05-09T16:55:58+00:00</updated>
<author>
<name>Michael S. Tsirkin</name>
<email>mst@redhat.com</email>
</author>
<published>2016-04-18T10:07:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=5b7236f7256974d9c0286fa4837aa5e15ef5c629'/>
<id>urn:sha1:5b7236f7256974d9c0286fa4837aa5e15ef5c629</id>
<content type='text'>
cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes.  However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4).  If 'offset&gt;&gt;=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.

This will corrupt QEMU memory, in most situations this causes the vm to
crash.

Fix by checking the offset against the array size.

Cc: qemu-stable@nongnu.org
Reported-by: 李强 &lt;liqiang6-s@360.cn&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Reviewed-by: Alistair Francis &lt;alistair.francis@xilinx.com&gt;
Message-id: 20160418100735.GA517@redhat.com
Signed-off-by: Peter Maydell &lt;peter.maydell@linaro.org&gt;
(cherry picked from commit 5eb0b194e9b01ba0f3613e6ddc2cb9f63ce96ae5)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>Revert "ehci: make idt processing more robust"</title>
<updated>2016-05-09T03:37:18+00:00</updated>
<author>
<name>Gerd Hoffmann</name>
<email>kraxel@redhat.com</email>
</author>
<published>2016-04-18T07:20:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=0bcdb632f871fc5c80ded99e52445da35a8eaaa7'/>
<id>urn:sha1:0bcdb632f871fc5c80ded99e52445da35a8eaaa7</id>
<content type='text'>
This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254.

Breaks FreeBSD.

Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
(cherry picked from commit a49923d2837d20510d645d3758f1ad87c32d0730)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>ehci: apply limit to iTD/sidt descriptors</title>
<updated>2016-05-09T03:37:09+00:00</updated>
<author>
<name>Gerd Hoffmann</name>
<email>kraxel@redhat.com</email>
</author>
<published>2016-04-18T07:11:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=706bab670bab12dddca0318b402461013e412270'/>
<id>urn:sha1:706bab670bab12dddca0318b402461013e412270</id>
<content type='text'>
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
DoS by the guest (create a circular iTD queue and let qemu ehci
emulation run in circles forever).  Unfortunately this has two problems:
First it misses the case of siTDs, and second it reportedly breaks
FreeBSD.

So lets go for a different approach: just count the number of iTDs and
siTDs we have seen per frame and apply a limit.  That should really
catch all cases now.

Reported-by: 杜少博 &lt;dushaobo@360.cn&gt;
Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
(cherry picked from commit 1ae3f2f178087711f9591350abad133525ba93f2)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).</title>
<updated>2016-05-09T01:56:43+00:00</updated>
<author>
<name>Gerd Hoffmann</name>
<email>kraxel@redhat.com</email>
</author>
<published>2016-04-26T12:48:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=44b86aa32e4147c727fadd9a0f0bc503a5dedb72'/>
<id>urn:sha1:44b86aa32e4147c727fadd9a0f0bc503a5dedb72</id>
<content type='text'>
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
registers, to make sure the vga registers will always have the
values needed by vbe mode.  This makes sure the sanity checks
applied by vbe_fixup_regs() are effective.

Without this guests can muck with shift_control, can turn on planar
vga modes or text mode emulation while VBE is active, making qemu
take code paths meant for CGA compatibility, but with the very
large display widths and heigts settable using VBE registers.

Which is good for one or another buffer overflow.  Not that
critical as they typically read overflows happening somewhere
in the display code.  So guests can DoS by crashing qemu with a
segfault, but it is probably not possible to break out of the VM.

Fixes: CVE-2016-3712
Reported-by: Zuozhi Fzz &lt;zuozhi.fzz@alibaba-inc.com&gt;
Reported-by: P J P &lt;ppandit@redhat.com&gt;
Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>vga: update vga register setup on vbe changes</title>
<updated>2016-05-09T01:56:40+00:00</updated>
<author>
<name>Gerd Hoffmann</name>
<email>kraxel@redhat.com</email>
</author>
<published>2016-04-26T13:39:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=a6e5e5dd4bbc022acbd10ebcf415a6a57418d09e'/>
<id>urn:sha1:a6e5e5dd4bbc022acbd10ebcf415a6a57418d09e</id>
<content type='text'>
Call the new vbe_update_vgaregs() function on vbe configuration
changes, to make sure vga registers are up-to-date.

Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>vga: factor out vga register setup</title>
<updated>2016-05-09T01:56:38+00:00</updated>
<author>
<name>Gerd Hoffmann</name>
<email>kraxel@redhat.com</email>
</author>
<published>2016-04-26T13:24:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=2f2f74e87c15e830f5a4dda7a166effcab5047ec'/>
<id>urn:sha1:2f2f74e87c15e830f5a4dda7a166effcab5047ec</id>
<content type='text'>
When enabling vbe mode qemu will setup a bunch of vga registers to make
sure the vga emulation operates in correct mode for a linear
framebuffer.  Move that code to a separate function so we can call it
from other places too.

Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>vga: add vbe_enabled() helper</title>
<updated>2016-05-09T01:56:34+00:00</updated>
<author>
<name>Gerd Hoffmann</name>
<email>kraxel@redhat.com</email>
</author>
<published>2016-04-26T12:11:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=46aff2c7e91ef9f372ad38ba5e90c42b9b27ac75'/>
<id>urn:sha1:46aff2c7e91ef9f372ad38ba5e90c42b9b27ac75</id>
<content type='text'>
Makes code a bit easier to read.

Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>vga: fix banked access bounds checking (CVE-2016-3710)</title>
<updated>2016-05-09T01:56:30+00:00</updated>
<author>
<name>Gerd Hoffmann</name>
<email>kraxel@redhat.com</email>
</author>
<published>2016-04-26T06:49:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b'/>
<id>urn:sha1:4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b</id>
<content type='text'>
vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.

The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register.  The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.

Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.

Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.

Fixes: CVE-2016-3710
Reported-by: Qinghao Tang &lt;luodalongde@gmail.com&gt;
Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>Update version for 2.5.1 release</title>
<updated>2016-03-29T20:47:56+00:00</updated>
<author>
<name>Michael Roth</name>
<email>mdroth@linux.vnet.ibm.com</email>
</author>
<published>2016-03-29T20:47:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=a58047f7fbb055677e45c9a7d65ba40fbfad4b92'/>
<id>urn:sha1:a58047f7fbb055677e45c9a7d65ba40fbfad4b92</id>
<content type='text'>
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
</feed>
