[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712) |
Date: |
Mon, 9 May 2016 14:51:45 +0200 |
Hi,
Here comes a pull request for 2.6, fixing two security issues in the
vga emulation code.
The first one (CVE-2016-3710, patch #1) is pretty serious, allowing the
guest read and write host memory. Possibly allows the guest to break
out of the vm.
The second one (CVE-2016-3712) is a read overflow. DoS only (allows the
guest crash qemu).
Both flaws are simliar: Programming the vga using both bochs vbe
registers and standard vga registers, create a unusual video mode,
bypass sanity checks that way. See actual patch descriptions for more
details.
please pull,
Gerd
The following changes since commit 277abf15a60f7653bfb05ffb513ed74ffdaea1b7:
configure: Check if struct fsxattr is available from linux header (2016-05-02
13:04:26 +0100)
are available in the git repository at:
git://git.kraxel.org/qemu tags/pull-vga-20160509-1
for you to fetch changes up to fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7:
vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
(2016-05-02 16:02:59 +0200)
----------------------------------------------------------------
vga security fixes (CVE-2016-3710, CVE-2016-3712)
----------------------------------------------------------------
Gerd Hoffmann (5):
vga: fix banked access bounds checking (CVE-2016-3710)
vga: add vbe_enabled() helper
vga: factor out vga register setup
vga: update vga register setup on vbe changes
vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
hw/display/vga.c | 122 +++++++++++++++++++++++++++++++++++--------------------
1 file changed, 78 insertions(+), 44 deletions(-)
- [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712),
Gerd Hoffmann <=
- [Qemu-devel] [PULL 4/5] vga: update vga register setup on vbe changes, Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 2/5] vga: add vbe_enabled() helper, Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 5/5] vga: make sure vga register setup for vbe stays intact (CVE-2016-3712)., Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 1/5] vga: fix banked access bounds checking (CVE-2016-3710), Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 3/5] vga: factor out vga register setup, Gerd Hoffmann, 2016/05/09
- Re: [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712), Peter Maydell, 2016/05/09