From 9f67edf53d379e17921995a2f31a81f142a7c93e5b4f58c2ff8617c949a28250 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Tue, 28 Apr 2020 17:48:32 +0000 Subject: [PATCH] Accepting request 798711 from home:bfrogers:branches:Virtualization -Fix potential DoS in ATI VGA emulation (CVE-2020-11869 bsc#1170537) ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch OBS-URL: https://build.opensuse.org/request/show/798711 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=545 --- ...vga-Fix-checks-in-ati_2d_blt-to-avoi.patch | 94 +++++++++++ qemu.changes | 7 + qemu.spec | 156 +++++++++--------- 3 files changed, 180 insertions(+), 77 deletions(-) create mode 100644 ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch diff --git a/ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch b/ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch new file mode 100644 index 00000000..de52acfc --- /dev/null +++ b/ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch @@ -0,0 +1,94 @@ +From: BALATON Zoltan +Date: Mon, 6 Apr 2020 22:34:26 +0200 +Subject: ati-vga: Fix checks in ati_2d_blt() to avoid crash + +Git-commit ac2071c3791b67fc7af78b8ceb320c01ca1b5df7: +References: bsc#117037, CVE-2020-11869 + +In some corner cases (that never happen during normal operation but a +malicious guest could program wrong values) pixman functions were +called with parameters that result in a crash. Fix this and add more +checks to disallow such cases. + +Reported-by: Ziming Zhang +Signed-off-by: BALATON Zoltan +Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu +Signed-off-by: Gerd Hoffmann +Signed-off-by: Bruce Rogers +--- + hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 42e82311eb4433a6ee2671e9855a..23a8ae0cd8ceb7b59408c0709e2f 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s) + s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds), + surface_bits_per_pixel(ds), + (s->regs.dp_mix & GMC_ROP3_MASK) >> 16); +- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? +- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); +- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? +- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); ++ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); ++ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); + int bpp = ati_bpp_from_datatype(s); ++ if (!bpp) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n"); ++ return; ++ } + int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch; ++ if (!dst_stride) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n"); ++ return; ++ } + uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? + s->regs.dst_offset : s->regs.default_offset); + +@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s) + switch (s->regs.dp_mix & GMC_ROP3_MASK) { + case ROP3_SRCCOPY: + { +- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? +- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); +- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? +- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); ++ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); ++ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); + int src_stride = DEFAULT_CNTL ? + s->regs.src_pitch : s->regs.default_pitch; ++ if (!src_stride) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n"); ++ return; ++ } + uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? + s->regs.src_offset : s->regs.default_offset); + +@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s) + dst_y * surface_stride(ds), + s->regs.dst_height * surface_stride(ds)); + } +- s->regs.dst_x += s->regs.dst_width; +- s->regs.dst_y += s->regs.dst_height; ++ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ dst_x + s->regs.dst_width : dst_x); ++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ dst_y + s->regs.dst_height : dst_y); + break; + } + case ROP3_PATCOPY: +@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s) + dst_y * surface_stride(ds), + s->regs.dst_height * surface_stride(ds)); + } +- s->regs.dst_y += s->regs.dst_height; ++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ dst_y + s->regs.dst_height : dst_y); + break; + } + default: diff --git a/qemu.changes b/qemu.changes index 77eb77f6..b7d300b6 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Apr 27 19:35:55 UTC 2020 - Bruce Rogers + +-Fix potential DoS in ATI VGA emulation (CVE-2020-11869 + bsc#1170537) + ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch + ------------------------------------------------------------------- Wed Apr 22 15:23:15 UTC 2020 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index a70e7f02..150b62c6 100644 --- a/qemu.spec +++ b/qemu.spec @@ -220,83 +220,84 @@ Patch00089: tcg-i386-Fix-INDEX_op_dup2_vec.patch Patch00090: net-tulip-check-frame-size-and-r-w-data-.patch Patch00091: target-i386-do-not-set-unsupported-VMX-s.patch Patch00092: spapr-Fix-failure-path-for-attempting-to.patch -Patch00093: xen-block-Fix-double-qlist-remove-and-re.patch -Patch00094: vpc-Don-t-round-up-already-aligned-BAT-s.patch -Patch00095: target-xtensa-fix-pasto-in-pfwait.r-opco.patch -Patch00096: aio-wait-delegate-polling-of-main-AioCon.patch -Patch00097: async-use-explicit-memory-barriers.patch -Patch00098: tcg-mips-mips-sync-encode-error.patch -Patch00099: vhost-user-gpu-Release-memory-returned-b.patch -Patch00100: XXX-dont-dump-core-on-sigabort.patch -Patch00101: qemu-binfmt-conf-Modify-default-path.patch -Patch00102: qemu-cvs-gettimeofday.patch -Patch00103: qemu-cvs-ioctl_debug.patch -Patch00104: qemu-cvs-ioctl_nodirection.patch -Patch00105: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00106: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00107: linux-user-binfmt-support-host-binaries.patch -Patch00108: linux-user-Fake-proc-cpuinfo.patch -Patch00109: linux-user-use-target_ulong.patch -Patch00110: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00111: linux-user-lseek-explicitly-cast-non-set.patch -Patch00112: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00113: xen_disk-Add-suse-specific-flush-disable.patch -Patch00114: qemu-bridge-helper-reduce-security-profi.patch -Patch00115: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00116: linux-user-properly-test-for-infinite-ti.patch -Patch00117: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00118: Raise-soft-address-space-limit-to-hard-l.patch -Patch00119: increase-x86_64-physical-bits-to-42.patch -Patch00120: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch -Patch00121: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00122: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00123: Switch-order-of-libraries-for-mpath-supp.patch -Patch00124: Make-installed-scripts-explicitly-python.patch -Patch00125: hw-smbios-handle-both-file-formats-regar.patch -Patch00126: xen-add-block-resize-support-for-xen-dis.patch -Patch00127: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00128: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00129: xen-ignore-live-parameter-from-xen-save-.patch -Patch00130: Conditionalize-ui-bitmap-installation-be.patch -Patch00131: tests-change-error-message-in-test-162.patch -Patch00132: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch -Patch00133: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch -Patch00134: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00135: configure-only-populate-roms-if-softmmu.patch -Patch00136: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00137: roms-change-cross-compiler-naming-to-be-.patch -Patch00138: tests-Disable-some-block-tests-for-now.patch -Patch00139: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00140: roms-Makefile-enable-cross-compile-for-b.patch -Patch00141: hw-i386-disable-smbus-migration-for-xenf.patch -Patch00142: s390x-Don-t-do-a-normal-reset-on-the-ini.patch -Patch00143: s390x-Move-reset-normal-to-shared-reset-.patch -Patch00144: s390x-Move-initial-reset.patch -Patch00145: s390x-Move-clear-reset.patch -Patch00146: s390x-kvm-Make-kvm_sclp_service_call-voi.patch -Patch00147: s390x-ipl-Consolidate-iplb-validity-chec.patch -Patch00148: s390x-Beautify-diag308-handling.patch -Patch00149: s390x-Add-missing-vcpu-reset-functions.patch -Patch00150: s390-sclp-improve-special-wait-psw-logic.patch -Patch00151: s390x-Move-diagnose-308-subcodes-and-rcs.patch -Patch00152: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch -Patch00153: Sync-pv.patch -Patch00154: s390x-protvirt-Support-unpack-facility.patch -Patch00155: s390x-protvirt-Add-migration-blocker.patch -Patch00156: s390x-protvirt-Inhibit-balloon-when-swit.patch -Patch00157: s390x-protvirt-KVM-intercept-changes.patch -Patch00158: s390x-Add-SIDA-memory-ops.patch -Patch00159: s390x-protvirt-Move-STSI-data-over-SIDAD.patch -Patch00160: s390x-protvirt-SCLP-interpretation.patch -Patch00161: s390x-protvirt-Set-guest-IPL-PSW.patch -Patch00162: s390x-protvirt-Move-diag-308-data-over-S.patch -Patch00163: s390x-protvirt-Disable-address-checks-fo.patch -Patch00164: s390x-protvirt-Move-IO-control-structure.patch -Patch00165: s390x-protvirt-Handle-SIGP-store-status-.patch -Patch00166: s390x-Add-unpack-facility-feature-to-GA1.patch -Patch00167: s390x-s390-virtio-ccw-Fix-build-on-syste.patch -Patch00168: configure-remove-pkgversion-from-CONFIG_.patch -Patch00169: gcc10-maybe-uninitialized.patch +Patch00093: ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch +Patch00094: xen-block-Fix-double-qlist-remove-and-re.patch +Patch00095: vpc-Don-t-round-up-already-aligned-BAT-s.patch +Patch00096: target-xtensa-fix-pasto-in-pfwait.r-opco.patch +Patch00097: aio-wait-delegate-polling-of-main-AioCon.patch +Patch00098: async-use-explicit-memory-barriers.patch +Patch00099: tcg-mips-mips-sync-encode-error.patch +Patch00100: vhost-user-gpu-Release-memory-returned-b.patch +Patch00101: XXX-dont-dump-core-on-sigabort.patch +Patch00102: qemu-binfmt-conf-Modify-default-path.patch +Patch00103: qemu-cvs-gettimeofday.patch +Patch00104: qemu-cvs-ioctl_debug.patch +Patch00105: qemu-cvs-ioctl_nodirection.patch +Patch00106: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00107: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00108: linux-user-binfmt-support-host-binaries.patch +Patch00109: linux-user-Fake-proc-cpuinfo.patch +Patch00110: linux-user-use-target_ulong.patch +Patch00111: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00112: linux-user-lseek-explicitly-cast-non-set.patch +Patch00113: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00114: xen_disk-Add-suse-specific-flush-disable.patch +Patch00115: qemu-bridge-helper-reduce-security-profi.patch +Patch00116: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00117: linux-user-properly-test-for-infinite-ti.patch +Patch00118: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00119: Raise-soft-address-space-limit-to-hard-l.patch +Patch00120: increase-x86_64-physical-bits-to-42.patch +Patch00121: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch +Patch00122: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00123: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00124: Switch-order-of-libraries-for-mpath-supp.patch +Patch00125: Make-installed-scripts-explicitly-python.patch +Patch00126: hw-smbios-handle-both-file-formats-regar.patch +Patch00127: xen-add-block-resize-support-for-xen-dis.patch +Patch00128: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00129: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00130: xen-ignore-live-parameter-from-xen-save-.patch +Patch00131: Conditionalize-ui-bitmap-installation-be.patch +Patch00132: tests-change-error-message-in-test-162.patch +Patch00133: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +Patch00134: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +Patch00135: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00136: configure-only-populate-roms-if-softmmu.patch +Patch00137: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00138: roms-change-cross-compiler-naming-to-be-.patch +Patch00139: tests-Disable-some-block-tests-for-now.patch +Patch00140: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00141: roms-Makefile-enable-cross-compile-for-b.patch +Patch00142: hw-i386-disable-smbus-migration-for-xenf.patch +Patch00143: s390x-Don-t-do-a-normal-reset-on-the-ini.patch +Patch00144: s390x-Move-reset-normal-to-shared-reset-.patch +Patch00145: s390x-Move-initial-reset.patch +Patch00146: s390x-Move-clear-reset.patch +Patch00147: s390x-kvm-Make-kvm_sclp_service_call-voi.patch +Patch00148: s390x-ipl-Consolidate-iplb-validity-chec.patch +Patch00149: s390x-Beautify-diag308-handling.patch +Patch00150: s390x-Add-missing-vcpu-reset-functions.patch +Patch00151: s390-sclp-improve-special-wait-psw-logic.patch +Patch00152: s390x-Move-diagnose-308-subcodes-and-rcs.patch +Patch00153: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +Patch00154: Sync-pv.patch +Patch00155: s390x-protvirt-Support-unpack-facility.patch +Patch00156: s390x-protvirt-Add-migration-blocker.patch +Patch00157: s390x-protvirt-Inhibit-balloon-when-swit.patch +Patch00158: s390x-protvirt-KVM-intercept-changes.patch +Patch00159: s390x-Add-SIDA-memory-ops.patch +Patch00160: s390x-protvirt-Move-STSI-data-over-SIDAD.patch +Patch00161: s390x-protvirt-SCLP-interpretation.patch +Patch00162: s390x-protvirt-Set-guest-IPL-PSW.patch +Patch00163: s390x-protvirt-Move-diag-308-data-over-S.patch +Patch00164: s390x-protvirt-Disable-address-checks-fo.patch +Patch00165: s390x-protvirt-Move-IO-control-structure.patch +Patch00166: s390x-protvirt-Handle-SIGP-store-status-.patch +Patch00167: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00168: s390x-s390-virtio-ccw-Fix-build-on-syste.patch +Patch00169: configure-remove-pkgversion-from-CONFIG_.patch +Patch00170: gcc10-maybe-uninitialized.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1182,6 +1183,7 @@ This package provides a service file for starting and stopping KSM. %patch00167 -p1 %patch00168 -p1 %patch00169 -p1 +%patch00170 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1