[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2

From: Gerd Hoffmann
Subject: [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712)
Date: Mon, 9 May 2016 14:51:45 +0200


Here comes a pull request for 2.6, fixing two security issues in the
vga emulation code.

The first one (CVE-2016-3710, patch #1) is pretty serious, allowing the
guest read and write host memory.  Possibly allows the guest to break
out of the vm.

The second one (CVE-2016-3712) is a read overflow.  DoS only (allows the
guest crash qemu).

Both flaws are simliar:  Programming the vga using both bochs vbe
registers and standard vga registers, create a unusual video mode,
bypass sanity checks that way.  See actual patch descriptions for more

please pull,

The following changes since commit 277abf15a60f7653bfb05ffb513ed74ffdaea1b7:

  configure: Check if struct fsxattr is available from linux header (2016-05-02 
13:04:26 +0100)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/pull-vga-20160509-1

for you to fetch changes up to fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7:

  vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). 
(2016-05-02 16:02:59 +0200)

vga security fixes (CVE-2016-3710, CVE-2016-3712)

Gerd Hoffmann (5):
      vga: fix banked access bounds checking (CVE-2016-3710)
      vga: add vbe_enabled() helper
      vga: factor out vga register setup
      vga: update vga register setup on vbe changes
      vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).

 hw/display/vga.c | 122 +++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 78 insertions(+), 44 deletions(-)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]