aboutsummaryrefslogtreecommitdiff
path: root/VERSION
diff options
context:
space:
mode:
authorGerd Hoffmann <kraxel@redhat.com>2016-04-26 14:48:06 +0200
committerGerd Hoffmann <kraxel@redhat.com>2016-05-02 16:02:59 +0200
commitfd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7 (patch)
tree6b8ff1698cb5b7becbd01ba7090147963679d5ca /VERSION
parent2068192dcccd8a80dddfcc8df6164cf9c26e0fc4 (diff)
vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT registers, to make sure the vga registers will always have the values needed by vbe mode. This makes sure the sanity checks applied by vbe_fixup_regs() are effective. Without this guests can muck with shift_control, can turn on planar vga modes or text mode emulation while VBE is active, making qemu take code paths meant for CGA compatibility, but with the very large display widths and heigts settable using VBE registers. Which is good for one or another buffer overflow. Not that critical as they typically read overflows happening somewhere in the display code. So guests can DoS by crashing qemu with a segfault, but it is probably not possible to break out of the VM. Fixes: CVE-2016-3712 Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com> Reported-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'VERSION')
0 files changed, 0 insertions, 0 deletions