| Message ID | 1462798310-21395-1-git-send-email-kraxel@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 9 May 2016 at 13:51, Gerd Hoffmann <kraxel@redhat.com> wrote: > Hi, > > Here comes a pull request for 2.6, fixing two security issues in the > vga emulation code. > > The first one (CVE-2016-3710, patch #1) is pretty serious, allowing the > guest read and write host memory. Possibly allows the guest to break > out of the vm. > > The second one (CVE-2016-3712) is a read overflow. DoS only (allows the > guest crash qemu). > > Both flaws are simliar: Programming the vga using both bochs vbe > registers and standard vga registers, create a unusual video mode, > bypass sanity checks that way. See actual patch descriptions for more > details. > > please pull, > Gerd > > The following changes since commit 277abf15a60f7653bfb05ffb513ed74ffdaea1b7: > > configure: Check if struct fsxattr is available from linux header (2016-05-02 13:04:26 +0100) > > are available in the git repository at: > > git://git.kraxel.org/qemu tags/pull-vga-20160509-1 > > for you to fetch changes up to fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7: > > vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). (2016-05-02 16:02:59 +0200) > > ---------------------------------------------------------------- > vga security fixes (CVE-2016-3710, CVE-2016-3712) > > ---------------------------------------------------------------- Applied to master, thanks. That was all we were waiting for to release 2.6, so I will tag rc5 this afternoon and barring disaster tag the final release (same contents) on Wednesday. thanks -- PMM
Hi, Here comes a pull request for 2.6, fixing two security issues in the vga emulation code. The first one (CVE-2016-3710, patch #1) is pretty serious, allowing the guest read and write host memory. Possibly allows the guest to break out of the vm. The second one (CVE-2016-3712) is a read overflow. DoS only (allows the guest crash qemu). Both flaws are simliar: Programming the vga using both bochs vbe registers and standard vga registers, create a unusual video mode, bypass sanity checks that way. See actual patch descriptions for more details. please pull, Gerd The following changes since commit 277abf15a60f7653bfb05ffb513ed74ffdaea1b7: configure: Check if struct fsxattr is available from linux header (2016-05-02 13:04:26 +0100) are available in the git repository at: git://git.kraxel.org/qemu tags/pull-vga-20160509-1 for you to fetch changes up to fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7: vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). (2016-05-02 16:02:59 +0200) ---------------------------------------------------------------- vga security fixes (CVE-2016-3710, CVE-2016-3712) ---------------------------------------------------------------- Gerd Hoffmann (5): vga: fix banked access bounds checking (CVE-2016-3710) vga: add vbe_enabled() helper vga: factor out vga register setup vga: update vga register setup on vbe changes vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). hw/display/vga.c | 122 +++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 78 insertions(+), 44 deletions(-)