pool/qemu
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 798711 from home:bfrogers:branches:Virtualization

Browse Source 
-Fix potential DoS in ATI VGA emulation (CVE-2020-11869
  bsc#1170537)
  ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch

OBS-URL: https://build.opensuse.org/request/show/798711
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=545
This commit is contained in:
Bruce Rogers 2020-04-28 17:48:32 +00:00 committed by Git OBS Bridge
parent 0705b7f108
commit 9f67edf53d
3 changed files with 180 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch Normal file
View File

@ -0,0 +1,94 @@
From: BALATON Zoltan <balaton@eik.bme.hu>
Date: Mon, 6 Apr 2020 22:34:26 +0200
Subject: ati-vga: Fix checks in ati_2d_blt() to avoid crash
Git-commit ac2071c3791b67fc7af78b8ceb320c01ca1b5df7:
References: bsc#117037, CVE-2020-11869
In some corner cases (that never happen during normal operation but a
malicious guest could program wrong values) pixman functions were
called with parameters that result in a crash. Fix this and add more
checks to disallow such cases.
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index 42e82311eb4433a6ee2671e9855a..23a8ae0cd8ceb7b59408c0709e2f 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s)
s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds),
surface_bits_per_pixel(ds),
(s->regs.dp_mix & GMC_ROP3_MASK) >> 16);
- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
+ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
+ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
int bpp = ati_bpp_from_datatype(s);
+ if (!bpp) {
+ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
+ return;
+ }
int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch;
+ if (!dst_stride) {
+ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n");
+ return;
+ }
uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
s->regs.dst_offset : s->regs.default_offset);
@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s)
switch (s->regs.dp_mix & GMC_ROP3_MASK) {
case ROP3_SRCCOPY:
{
- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
+ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
+ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
int src_stride = DEFAULT_CNTL ?
s->regs.src_pitch : s->regs.default_pitch;
+ if (!src_stride) {
+ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n");
+ return;
+ }
uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
s->regs.src_offset : s->regs.default_offset);
@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s)
dst_y * surface_stride(ds),
s->regs.dst_height * surface_stride(ds));
}
- s->regs.dst_x += s->regs.dst_width;
- s->regs.dst_y += s->regs.dst_height;
+ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+ dst_x + s->regs.dst_width : dst_x);
+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+ dst_y + s->regs.dst_height : dst_y);
break;
}
case ROP3_PATCOPY:
@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s)
dst_y * surface_stride(ds),
s->regs.dst_height * surface_stride(ds));
}
- s->regs.dst_y += s->regs.dst_height;
+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+ dst_y + s->regs.dst_height : dst_y);
break;
}
default:

7
qemu.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Apr 27 19:35:55 UTC 2020 - Bruce Rogers <brogers@suse.com>
-Fix potential DoS in ATI VGA emulation (CVE-2020-11869
bsc#1170537)
ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch
-------------------------------------------------------------------
Wed Apr 22 15:23:15 UTC 2020 - Bruce Rogers <brogers@suse.com>

156
qemu.spec
View File

@ -220,83 +220,84 @@ Patch00089: tcg-i386-Fix-INDEX_op_dup2_vec.patch
Patch00090: net-tulip-check-frame-size-and-r-w-data-.patch
Patch00091: target-i386-do-not-set-unsupported-VMX-s.patch
Patch00092: spapr-Fix-failure-path-for-attempting-to.patch
Patch00093: xen-block-Fix-double-qlist-remove-and-re.patch
Patch00094: vpc-Don-t-round-up-already-aligned-BAT-s.patch
Patch00095: target-xtensa-fix-pasto-in-pfwait.r-opco.patch
Patch00096: aio-wait-delegate-polling-of-main-AioCon.patch
Patch00097: async-use-explicit-memory-barriers.patch
Patch00098: tcg-mips-mips-sync-encode-error.patch
Patch00099: vhost-user-gpu-Release-memory-returned-b.patch
Patch00100: XXX-dont-dump-core-on-sigabort.patch
Patch00101: qemu-binfmt-conf-Modify-default-path.patch
Patch00102: qemu-cvs-gettimeofday.patch
Patch00103: qemu-cvs-ioctl_debug.patch
Patch00104: qemu-cvs-ioctl_nodirection.patch
Patch00105: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00106: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00107: linux-user-binfmt-support-host-binaries.patch
Patch00108: linux-user-Fake-proc-cpuinfo.patch
Patch00109: linux-user-use-target_ulong.patch
Patch00110: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00111: linux-user-lseek-explicitly-cast-non-set.patch
Patch00112: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00113: xen_disk-Add-suse-specific-flush-disable.patch
Patch00114: qemu-bridge-helper-reduce-security-profi.patch
Patch00115: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00116: linux-user-properly-test-for-infinite-ti.patch
Patch00117: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00118: Raise-soft-address-space-limit-to-hard-l.patch
Patch00119: increase-x86_64-physical-bits-to-42.patch
Patch00120: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch
Patch00121: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00122: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00123: Switch-order-of-libraries-for-mpath-supp.patch
Patch00124: Make-installed-scripts-explicitly-python.patch
Patch00125: hw-smbios-handle-both-file-formats-regar.patch
Patch00126: xen-add-block-resize-support-for-xen-dis.patch
Patch00127: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00128: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00129: xen-ignore-live-parameter-from-xen-save-.patch
Patch00130: Conditionalize-ui-bitmap-installation-be.patch
Patch00131: tests-change-error-message-in-test-162.patch
Patch00132: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch
Patch00133: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch
Patch00134: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00135: configure-only-populate-roms-if-softmmu.patch
Patch00136: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00137: roms-change-cross-compiler-naming-to-be-.patch
Patch00138: tests-Disable-some-block-tests-for-now.patch
Patch00139: test-add-mapping-from-arch-of-i686-to-qe.patch
Patch00140: roms-Makefile-enable-cross-compile-for-b.patch
Patch00141: hw-i386-disable-smbus-migration-for-xenf.patch
Patch00142: s390x-Don-t-do-a-normal-reset-on-the-ini.patch
Patch00143: s390x-Move-reset-normal-to-shared-reset-.patch
Patch00144: s390x-Move-initial-reset.patch
Patch00145: s390x-Move-clear-reset.patch
Patch00146: s390x-kvm-Make-kvm_sclp_service_call-voi.patch
Patch00147: s390x-ipl-Consolidate-iplb-validity-chec.patch
Patch00148: s390x-Beautify-diag308-handling.patch
Patch00149: s390x-Add-missing-vcpu-reset-functions.patch
Patch00150: s390-sclp-improve-special-wait-psw-logic.patch
Patch00151: s390x-Move-diagnose-308-subcodes-and-rcs.patch
Patch00152: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch
Patch00153: Sync-pv.patch
Patch00154: s390x-protvirt-Support-unpack-facility.patch
Patch00155: s390x-protvirt-Add-migration-blocker.patch
Patch00156: s390x-protvirt-Inhibit-balloon-when-swit.patch
Patch00157: s390x-protvirt-KVM-intercept-changes.patch
Patch00158: s390x-Add-SIDA-memory-ops.patch
Patch00159: s390x-protvirt-Move-STSI-data-over-SIDAD.patch
Patch00160: s390x-protvirt-SCLP-interpretation.patch
Patch00161: s390x-protvirt-Set-guest-IPL-PSW.patch
Patch00162: s390x-protvirt-Move-diag-308-data-over-S.patch
Patch00163: s390x-protvirt-Disable-address-checks-fo.patch
Patch00164: s390x-protvirt-Move-IO-control-structure.patch
Patch00165: s390x-protvirt-Handle-SIGP-store-status-.patch
Patch00166: s390x-Add-unpack-facility-feature-to-GA1.patch
Patch00167: s390x-s390-virtio-ccw-Fix-build-on-syste.patch
Patch00168: configure-remove-pkgversion-from-CONFIG_.patch
Patch00169: gcc10-maybe-uninitialized.patch
Patch00093: ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch
Patch00094: xen-block-Fix-double-qlist-remove-and-re.patch
Patch00095: vpc-Don-t-round-up-already-aligned-BAT-s.patch
Patch00096: target-xtensa-fix-pasto-in-pfwait.r-opco.patch
Patch00097: aio-wait-delegate-polling-of-main-AioCon.patch
Patch00098: async-use-explicit-memory-barriers.patch
Patch00099: tcg-mips-mips-sync-encode-error.patch
Patch00100: vhost-user-gpu-Release-memory-returned-b.patch
Patch00101: XXX-dont-dump-core-on-sigabort.patch
Patch00102: qemu-binfmt-conf-Modify-default-path.patch
Patch00103: qemu-cvs-gettimeofday.patch
Patch00104: qemu-cvs-ioctl_debug.patch
Patch00105: qemu-cvs-ioctl_nodirection.patch
Patch00106: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00107: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00108: linux-user-binfmt-support-host-binaries.patch
Patch00109: linux-user-Fake-proc-cpuinfo.patch
Patch00110: linux-user-use-target_ulong.patch
Patch00111: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00112: linux-user-lseek-explicitly-cast-non-set.patch
Patch00113: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00114: xen_disk-Add-suse-specific-flush-disable.patch
Patch00115: qemu-bridge-helper-reduce-security-profi.patch
Patch00116: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00117: linux-user-properly-test-for-infinite-ti.patch
Patch00118: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00119: Raise-soft-address-space-limit-to-hard-l.patch
Patch00120: increase-x86_64-physical-bits-to-42.patch
Patch00121: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch
Patch00122: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00123: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00124: Switch-order-of-libraries-for-mpath-supp.patch
Patch00125: Make-installed-scripts-explicitly-python.patch
Patch00126: hw-smbios-handle-both-file-formats-regar.patch
Patch00127: xen-add-block-resize-support-for-xen-dis.patch
Patch00128: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00129: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00130: xen-ignore-live-parameter-from-xen-save-.patch
Patch00131: Conditionalize-ui-bitmap-installation-be.patch
Patch00132: tests-change-error-message-in-test-162.patch
Patch00133: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch
Patch00134: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch
Patch00135: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00136: configure-only-populate-roms-if-softmmu.patch
Patch00137: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00138: roms-change-cross-compiler-naming-to-be-.patch
Patch00139: tests-Disable-some-block-tests-for-now.patch
Patch00140: test-add-mapping-from-arch-of-i686-to-qe.patch
Patch00141: roms-Makefile-enable-cross-compile-for-b.patch
Patch00142: hw-i386-disable-smbus-migration-for-xenf.patch
Patch00143: s390x-Don-t-do-a-normal-reset-on-the-ini.patch
Patch00144: s390x-Move-reset-normal-to-shared-reset-.patch
Patch00145: s390x-Move-initial-reset.patch
Patch00146: s390x-Move-clear-reset.patch
Patch00147: s390x-kvm-Make-kvm_sclp_service_call-voi.patch
Patch00148: s390x-ipl-Consolidate-iplb-validity-chec.patch
Patch00149: s390x-Beautify-diag308-handling.patch
Patch00150: s390x-Add-missing-vcpu-reset-functions.patch
Patch00151: s390-sclp-improve-special-wait-psw-logic.patch
Patch00152: s390x-Move-diagnose-308-subcodes-and-rcs.patch
Patch00153: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch
Patch00154: Sync-pv.patch
Patch00155: s390x-protvirt-Support-unpack-facility.patch
Patch00156: s390x-protvirt-Add-migration-blocker.patch
Patch00157: s390x-protvirt-Inhibit-balloon-when-swit.patch
Patch00158: s390x-protvirt-KVM-intercept-changes.patch
Patch00159: s390x-Add-SIDA-memory-ops.patch
Patch00160: s390x-protvirt-Move-STSI-data-over-SIDAD.patch
Patch00161: s390x-protvirt-SCLP-interpretation.patch
Patch00162: s390x-protvirt-Set-guest-IPL-PSW.patch
Patch00163: s390x-protvirt-Move-diag-308-data-over-S.patch
Patch00164: s390x-protvirt-Disable-address-checks-fo.patch
Patch00165: s390x-protvirt-Move-IO-control-structure.patch
Patch00166: s390x-protvirt-Handle-SIGP-store-status-.patch
Patch00167: s390x-Add-unpack-facility-feature-to-GA1.patch
Patch00168: s390x-s390-virtio-ccw-Fix-build-on-syste.patch
Patch00169: configure-remove-pkgversion-from-CONFIG_.patch
Patch00170: gcc10-maybe-uninitialized.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@ -1182,6 +1183,7 @@ This package provides a service file for starting and stopping KSM.
%patch00167 -p1
%patch00168 -p1
%patch00169 -p1
%patch00170 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1