From 563a7a18b46c14601fc3eae00e93fd131279bacc Mon Sep 17 00:00:00 2001 From: Mario Preksavec Date: Wed, 22 Jun 2016 11:21:41 +0200 Subject: system/xen: Updated for version 4.6.1. Signed-off-by: Mario Preksavec --- system/xen/patches/xsa173-4.6.patch | 244 +++++++++++++++++++++ system/xen/patches/xsa176.patch | 45 ++++ ...nked-access-bounds-checking-CVE-2016-3710.patch | 108 +++++++++ ...qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch | 68 ++++++ ....6-0003-vga-factor-out-vga-register-setup.patch | 127 +++++++++++ ...-update-vga-register-setup-on-vbe-changes.patch | 29 +++ ...re-vga-register-setup-for-vbe-stays-intac.patch | 75 +++++++ system/xen/patches/xsa181.patch | 38 ++++ 8 files changed, 734 insertions(+) create mode 100644 system/xen/patches/xsa173-4.6.patch create mode 100644 system/xen/patches/xsa176.patch create mode 100644 system/xen/patches/xsa179-qemuu-4.6-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch create mode 100644 system/xen/patches/xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch create mode 100644 system/xen/patches/xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch create mode 100644 system/xen/patches/xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch create mode 100644 system/xen/patches/xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch create mode 100644 system/xen/patches/xsa181.patch (limited to 'system/xen/patches') diff --git a/system/xen/patches/xsa173-4.6.patch b/system/xen/patches/xsa173-4.6.patch new file mode 100644 index 000000000000..aecf120c74fd --- /dev/null +++ b/system/xen/patches/xsa173-4.6.patch @@ -0,0 +1,244 @@ +commit 54a4651cb4e744960fb375ed99909d7dfb943caf +Author: Tim Deegan +Date: Wed Mar 16 16:51:27 2016 +0000 + + x86: limit GFNs to 32 bits for shadowed superpages. + + Superpage shadows store the shadowed GFN in the backpointer field, + which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage + mapping of a guest-physical address above 2^44 would lead to the GFN + being truncated there, and a crash when we come to remove the shadow + from the hash table. + + Track the valid width of a GFN for each guest, including reporting it + through CPUID, and enforce it in the shadow pagetables. Set the + maximum witth to 32 for guests where this truncation could occur. + + This is XSA-173. + + Signed-off-by: Tim Deegan + Signed-off-by: Jan Beulich + +Reported-by: Ling Liu +diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c +index 35ef21b..528c283 100644 +--- a/xen/arch/x86/cpu/common.c ++++ b/xen/arch/x86/cpu/common.c +@@ -38,6 +38,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx); + const struct cpu_dev *__read_mostly cpu_devs[X86_VENDOR_NUM] = {}; + + unsigned int paddr_bits __read_mostly = 36; ++unsigned int hap_paddr_bits __read_mostly = 36; + + /* + * Default host IA32_CR_PAT value to cover all memory types. +@@ -211,7 +212,7 @@ static void __init early_cpu_detect(void) + + static void __cpuinit generic_identify(struct cpuinfo_x86 *c) + { +- u32 tfms, capability, excap, ebx; ++ u32 tfms, capability, excap, ebx, eax; + + /* Get vendor name */ + cpuid(0x00000000, &c->cpuid_level, +@@ -248,8 +249,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c) + } + if ( c->extended_cpuid_level >= 0x80000004 ) + get_model_name(c); /* Default name */ +- if ( c->extended_cpuid_level >= 0x80000008 ) +- paddr_bits = cpuid_eax(0x80000008) & 0xff; ++ if ( c->extended_cpuid_level >= 0x80000008 ) { ++ eax = cpuid_eax(0x80000008); ++ paddr_bits = eax & 0xff; ++ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits; ++ } + } + + /* Might lift BIOS max_leaf=3 limit. */ +diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c +index e200aab..0b4d9f0 100644 +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4567,8 +4567,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx, + break; + + case 0x80000008: +- count = cpuid_eax(0x80000008); +- count = (count >> 16) & 0xff ?: count & 0xff; ++ count = d->arch.paging.gfn_bits + PAGE_SHIFT; + if ( (*eax & 0xff) > count ) + *eax = (*eax & ~0xff) | count; + +diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c +index 773454d..06543d3 100644 +--- a/xen/arch/x86/mm/guest_walk.c ++++ b/xen/arch/x86/mm/guest_walk.c +@@ -93,6 +93,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn, + struct page_info *page; + void *map; + ++ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits ) ++ { ++ *rc = _PAGE_INVALID_BIT; ++ return NULL; ++ } ++ + /* Translate the gfn, unsharing if shared */ + page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL, + q); +@@ -326,20 +332,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, + flags &= ~_PAGE_PAT; + + if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 ) +- { +-#if GUEST_PAGING_LEVELS == 2 +- /* +- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a +- * no-op here. +- * +- * Architecturally, the walk should fail if bit 21 is set (others +- * aren't being checked at least in PSE36 mode), but we'll ignore +- * this here in order to avoid specifying a non-natural, non-zero +- * _PAGE_INVALID_BITS value just for that case. +- */ +-#endif + rc |= _PAGE_INVALID_BITS; +- } ++ + /* Increment the pfn by the right number of 4k pages. + * Mask out PAT and invalid bits. */ + start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) + +@@ -422,5 +416,11 @@ set_ad: + put_page(mfn_to_page(mfn_x(gw->l1mfn))); + } + ++ /* If this guest has a restricted physical address space then the ++ * target GFN must fit within it. */ ++ if ( !(rc & _PAGE_PRESENT) ++ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits ) ++ rc |= _PAGE_INVALID_BITS; ++ + return rc; + } +diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c +index 6eb2167..f3475c6 100644 +--- a/xen/arch/x86/mm/hap/hap.c ++++ b/xen/arch/x86/mm/hap/hap.c +@@ -448,6 +448,8 @@ void hap_domain_init(struct domain *d) + { + INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist); + ++ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT; ++ + /* Use HAP logdirty mechanism. */ + paging_log_dirty_init(d, hap_enable_log_dirty, + hap_disable_log_dirty, +diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c +index bad8360..98d0d2c 100644 +--- a/xen/arch/x86/mm/shadow/common.c ++++ b/xen/arch/x86/mm/shadow/common.c +@@ -51,6 +51,16 @@ int shadow_domain_init(struct domain *d, unsigned int domcr_flags) + INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist); + INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows); + ++ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT; ++#ifndef CONFIG_BIGMEM ++ /* ++ * Shadowed superpages store GFNs in 32-bit page_info fields. ++ * Note that we cannot use guest_supports_superpages() here. ++ */ ++ if ( !is_pv_domain(d) || opt_allow_superpage ) ++ d->arch.paging.gfn_bits = 32; ++#endif ++ + /* Use shadow pagetables for log-dirty support */ + paging_log_dirty_init(d, sh_enable_log_dirty, + sh_disable_log_dirty, sh_clean_dirty_bitmap); +diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c +index 43c9488..71477fe 100644 +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c +@@ -525,7 +525,8 @@ _sh_propagate(struct vcpu *v, + ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3); + + /* Check there's something for the shadows to map to */ +- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) ) ++ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt)) ++ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits ) + { + *sp = shadow_l1e_empty(); + goto done; +diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h +index c6c6e71..74c3a52 100644 +--- a/xen/include/asm-x86/domain.h ++++ b/xen/include/asm-x86/domain.h +@@ -193,6 +193,9 @@ struct paging_domain { + /* log dirty support */ + struct log_dirty_domain log_dirty; + ++ /* Number of valid bits in a gfn. */ ++ unsigned int gfn_bits; ++ + /* preemption handling */ + struct { + const struct domain *dom; +diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h +index f8a0d76..b5db401 100644 +--- a/xen/include/asm-x86/guest_pt.h ++++ b/xen/include/asm-x86/guest_pt.h +@@ -210,15 +210,17 @@ guest_supports_nx(struct vcpu *v) + } + + +-/* Some bits are invalid in any pagetable entry. */ +-#if GUEST_PAGING_LEVELS == 2 +-#define _PAGE_INVALID_BITS (0) +-#elif GUEST_PAGING_LEVELS == 3 +-#define _PAGE_INVALID_BITS \ +- get_pte_flags(((1ull<<63) - 1) & ~((1ull< +Reviewed-by: Andrew Cooper +Tested-by: Andrew Cooper + +--- a/xen/arch/x86/mm/guest_walk.c ++++ b/xen/arch/x86/mm/guest_walk.c +@@ -226,6 +226,11 @@ guest_walk_tables(struct vcpu *v, struct + rc |= _PAGE_PRESENT; + goto out; + } ++ if ( gflags & _PAGE_PSE ) ++ { ++ rc |= _PAGE_PSE | _PAGE_INVALID_BIT; ++ goto out; ++ } + rc |= ((gflags & mflags) ^ mflags); + + /* Map the l3 table */ +@@ -247,7 +252,7 @@ guest_walk_tables(struct vcpu *v, struct + } + rc |= ((gflags & mflags) ^ mflags); + +- pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v); ++ pse1G = !!(gflags & _PAGE_PSE); + + if ( pse1G ) + { +@@ -267,6 +272,8 @@ guest_walk_tables(struct vcpu *v, struct + /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */ + flags &= ~_PAGE_PAT; + ++ if ( !guest_supports_1G_superpages(v) ) ++ rc |= _PAGE_PSE | _PAGE_INVALID_BIT; + if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 ) + rc |= _PAGE_INVALID_BITS; + diff --git a/system/xen/patches/xsa179-qemuu-4.6-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch b/system/xen/patches/xsa179-qemuu-4.6-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch new file mode 100644 index 000000000000..3ad3cf43271e --- /dev/null +++ b/system/xen/patches/xsa179-qemuu-4.6-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch @@ -0,0 +1,108 @@ +From b16db5ab2d0c5ff755e08942f4c8e8f9f8618eae Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 26 Apr 2016 08:49:10 +0200 +Subject: [PATCH 1/5] vga: fix banked access bounds checking (CVE-2016-3710) + +vga allows banked access to video memory using the window at 0xa00000 +and it supports a different access modes with different address +calculations. + +The VBE bochs extentions support banked access too, using the +VBE_DISPI_INDEX_BANK register. The code tries to take the different +address calculations into account and applies different limits to +VBE_DISPI_INDEX_BANK depending on the current access mode. + +Which is probably effective in stopping misprogramming by accident. +But from a security point of view completely useless as an attacker +can easily change access modes after setting the bank register. + +Drop the bogus check, add range checks to vga_mem_{readb,writeb} +instead. + +Fixes: CVE-2016-3710 +Reported-by: Qinghao Tang +Signed-off-by: Gerd Hoffmann +Signed-off-by: Stefano Stabellini +--- + hw/display/vga.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 52eaf05..b577712 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -178,6 +178,7 @@ static void vga_update_memory_access(VGACommonState *s) + break; + } + base += isa_mem_base; ++ assert(offset + size <= s->vram_size); + memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram), + "vga.chain4", &s->vram, offset, size); + memory_region_add_subregion_overlap(s->legacy_address_space, base, +@@ -715,11 +716,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + vbe_fixup_regs(s); + break; + case VBE_DISPI_INDEX_BANK: +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- val &= (s->vbe_bank_mask >> 2); +- } else { +- val &= s->vbe_bank_mask; +- } ++ val &= s->vbe_bank_mask; + s->vbe_regs[s->vbe_index] = val; + s->bank_offset = (val << 16); + vga_update_memory_access(s); +@@ -818,13 +815,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr) + + if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ ++ assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; + } else if (s->gr[VGA_GFX_MODE] & 0x10) { + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); +- ret = s->vram_ptr[((addr & ~1) << 1) | plane]; ++ addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return 0xff; ++ } ++ ret = s->vram_ptr[addr]; + } else { + /* standard VGA latched access */ ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return 0xff; ++ } + s->latch = ((uint32_t *)s->vram_ptr)[addr]; + + if (!(s->gr[VGA_GFX_MODE] & 0x08)) { +@@ -881,6 +886,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + plane = addr & 3; + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); +@@ -894,6 +900,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { + addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return; ++ } + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr); +@@ -967,6 +976,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + mask = s->sr[VGA_SEQ_PLANE_WRITE]; + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return; ++ } + ((uint32_t *)s->vram_ptr)[addr] = + (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | + (val & write_mask); +-- +1.9.1 + diff --git a/system/xen/patches/xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch b/system/xen/patches/xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch new file mode 100644 index 000000000000..0daa3141ebab --- /dev/null +++ b/system/xen/patches/xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch @@ -0,0 +1,68 @@ +From e026859e9aecf8635daf06e9fc2325239f458959 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 26 Apr 2016 14:11:34 +0200 +Subject: [PATCH 2/5] vga: add vbe_enabled() helper + +Makes code a bit easier to read. + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Stefano Stabellini +--- + hw/display/vga.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index b577712..ebf63ff 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -140,6 +140,11 @@ static uint32_t expand4[256]; + static uint16_t expand2[256]; + static uint8_t expand4to8[16]; + ++static inline bool vbe_enabled(VGACommonState *s) ++{ ++ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; ++} ++ + static void vga_update_memory_access(VGACommonState *s) + { + hwaddr base, offset, size; +@@ -563,7 +568,7 @@ static void vbe_fixup_regs(VGACommonState *s) + uint16_t *r = s->vbe_regs; + uint32_t bits, linelength, maxy, offset; + +- if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { ++ if (!vbe_enabled(s)) { + /* vbe is turned off -- nothing to do */ + return; + } +@@ -1057,7 +1062,7 @@ static void vga_get_offsets(VGACommonState *s, + { + uint32_t start_addr, line_offset, line_compare; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + line_offset = s->vbe_line_offset; + start_addr = s->vbe_start_addr; + line_compare = 65535; +@@ -1382,7 +1387,7 @@ static int vga_get_bpp(VGACommonState *s) + { + int ret; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + ret = s->vbe_regs[VBE_DISPI_INDEX_BPP]; + } else { + ret = 0; +@@ -1394,7 +1399,7 @@ static void vga_get_resolution(VGACommonState *s, int *pwidth, int *pheight) + { + int width, height; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + width = s->vbe_regs[VBE_DISPI_INDEX_XRES]; + height = s->vbe_regs[VBE_DISPI_INDEX_YRES]; + } else { +-- +1.9.1 + diff --git a/system/xen/patches/xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch b/system/xen/patches/xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch new file mode 100644 index 000000000000..70e4bdbca8d9 --- /dev/null +++ b/system/xen/patches/xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch @@ -0,0 +1,127 @@ +From b36a4e26caf7a050a6e8593527c26bfa4f47a758 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 26 Apr 2016 15:24:18 +0200 +Subject: [PATCH 3/5] vga: factor out vga register setup + +When enabling vbe mode qemu will setup a bunch of vga registers to make +sure the vga emulation operates in correct mode for a linear +framebuffer. Move that code to a separate function so we can call it +from other places too. + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Stefano Stabellini +--- + hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------ + 1 file changed, 44 insertions(+), 34 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index ebf63ff..fb822f4 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -643,6 +643,49 @@ static void vbe_fixup_regs(VGACommonState *s) + s->vbe_start_addr = offset / 4; + } + ++/* we initialize the VGA graphic mode */ ++static void vbe_update_vgaregs(VGACommonState *s) ++{ ++ int h, shift_control; ++ ++ if (!vbe_enabled(s)) { ++ /* vbe is turned off -- nothing to do */ ++ return; ++ } ++ ++ /* graphic mode + memory map 1 */ ++ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | ++ VGA_GR06_GRAPHICS_MODE; ++ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ ++ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; ++ /* width */ ++ s->cr[VGA_CRTC_H_DISP] = ++ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; ++ /* height (only meaningful if < 1024) */ ++ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; ++ s->cr[VGA_CRTC_V_DISP_END] = h; ++ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | ++ ((h >> 7) & 0x02) | ((h >> 3) & 0x40); ++ /* line compare to 1023 */ ++ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; ++ s->cr[VGA_CRTC_OVERFLOW] |= 0x10; ++ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; ++ ++ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { ++ shift_control = 0; ++ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ ++ } else { ++ shift_control = 2; ++ /* set chain 4 mode */ ++ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; ++ /* activate all planes */ ++ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; ++ } ++ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | ++ (shift_control << 5); ++ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ ++} ++ + static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr) + { + VGACommonState *s = opaque; +@@ -729,52 +772,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + case VBE_DISPI_INDEX_ENABLE: + if ((val & VBE_DISPI_ENABLED) && + !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { +- int h, shift_control; + + s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0; + s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0; + s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0; + s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED; + vbe_fixup_regs(s); ++ vbe_update_vgaregs(s); + + /* clear the screen */ + if (!(val & VBE_DISPI_NOCLEARMEM)) { + memset(s->vram_ptr, 0, + s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); + } +- +- /* we initialize the VGA graphic mode */ +- /* graphic mode + memory map 1 */ +- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | +- VGA_GR06_GRAPHICS_MODE; +- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ +- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; +- /* width */ +- s->cr[VGA_CRTC_H_DISP] = +- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; +- /* height (only meaningful if < 1024) */ +- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; +- s->cr[VGA_CRTC_V_DISP_END] = h; +- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | +- ((h >> 7) & 0x02) | ((h >> 3) & 0x40); +- /* line compare to 1023 */ +- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; +- s->cr[VGA_CRTC_OVERFLOW] |= 0x10; +- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; +- +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- shift_control = 0; +- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ +- } else { +- shift_control = 2; +- /* set chain 4 mode */ +- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; +- /* activate all planes */ +- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; +- } +- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | +- (shift_control << 5); +- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ + } else { + s->bank_offset = 0; + } +-- +1.9.1 + diff --git a/system/xen/patches/xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch b/system/xen/patches/xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch new file mode 100644 index 000000000000..0638edb91be8 --- /dev/null +++ b/system/xen/patches/xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch @@ -0,0 +1,29 @@ +From ef8bd1b26a597ae7c306227655626640093cb7a2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 26 Apr 2016 15:39:22 +0200 +Subject: [PATCH 4/5] vga: update vga register setup on vbe changes + +Call the new vbe_update_vgaregs() function on vbe configuration +changes, to make sure vga registers are up-to-date. + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Stefano Stabellini +--- + hw/display/vga.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index fb822f4..3739758 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -762,6 +762,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val) + case VBE_DISPI_INDEX_Y_OFFSET: + s->vbe_regs[s->vbe_index] = val; + vbe_fixup_regs(s); ++ vbe_update_vgaregs(s); + break; + case VBE_DISPI_INDEX_BANK: + val &= s->vbe_bank_mask; +-- +1.9.1 + diff --git a/system/xen/patches/xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch b/system/xen/patches/xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch new file mode 100644 index 000000000000..c22f2d719519 --- /dev/null +++ b/system/xen/patches/xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch @@ -0,0 +1,75 @@ +From 92456c0c361d5da858d544647c6246ec78ed922b Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 26 Apr 2016 14:48:06 +0200 +Subject: [PATCH 5/5] vga: make sure vga register setup for vbe stays intact + (CVE-2016-3712). + +Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT +registers, to make sure the vga registers will always have the +values needed by vbe mode. This makes sure the sanity checks +applied by vbe_fixup_regs() are effective. + +Without this guests can muck with shift_control, can turn on planar +vga modes or text mode emulation while VBE is active, making qemu +take code paths meant for CGA compatibility, but with the very +large display widths and heigts settable using VBE registers. + +Which is good for one or another buffer overflow. Not that +critical as they typically read overflows happening somewhere +in the display code. So guests can DoS by crashing qemu with a +segfault, but it is probably not possible to break out of the VM. + +Fixes: CVE-2016-3712 +Reported-by: Zuozhi Fzz +Reported-by: P J P +Signed-off-by: Gerd Hoffmann +Signed-off-by: Stefano Stabellini +--- + hw/display/vga.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 3739758..e7be97e 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -140,6 +140,8 @@ static uint32_t expand4[256]; + static uint16_t expand2[256]; + static uint8_t expand4to8[16]; + ++static void vbe_update_vgaregs(VGACommonState *s); ++ + static inline bool vbe_enabled(VGACommonState *s) + { + return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; +@@ -483,6 +485,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; ++ vbe_update_vgaregs(s); + if (s->sr_index == VGA_SEQ_CLOCK_MODE) { + s->update_retrace_info(s); + } +@@ -514,6 +517,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); + #endif + s->gr[s->gr_index] = val & gr_mask[s->gr_index]; ++ vbe_update_vgaregs(s); + vga_update_memory_access(s); + break; + case VGA_CRT_IM: +@@ -532,10 +536,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + if (s->cr_index == VGA_CRTC_OVERFLOW) { + s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) | + (val & 0x10); ++ vbe_update_vgaregs(s); + } + return; + } + s->cr[s->cr_index] = val; ++ vbe_update_vgaregs(s); + + switch(s->cr_index) { + case VGA_CRTC_H_TOTAL: +-- +1.9.1 + diff --git a/system/xen/patches/xsa181.patch b/system/xen/patches/xsa181.patch new file mode 100644 index 000000000000..c44541ec4d93 --- /dev/null +++ b/system/xen/patches/xsa181.patch @@ -0,0 +1,38 @@ +From ee488e2133e581967d13d5287d7bd654e9b2e2a6 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Thu, 2 Jun 2016 14:19:00 +0100 +Subject: [PATCH] xen/arm: Don't free p2m->root in p2m_teardown() before it has + been allocated + +If p2m_init() didn't complete successfully, (e.g. due to VMID +exhaustion), p2m_teardown() is called and unconditionally tries to free +p2m->root before it has been allocated. free_domheap_pages() doesn't +tolerate NULL pointers. + +This is XSA-181 + +Reported-by: Aaron Cornelius +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +Reviewed-by: Julien Grall +--- + xen/arch/arm/p2m.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c +index 838d004..6a19c57 100644 +--- a/xen/arch/arm/p2m.c ++++ b/xen/arch/arm/p2m.c +@@ -1408,7 +1408,8 @@ void p2m_teardown(struct domain *d) + while ( (pg = page_list_remove_head(&p2m->pages)) ) + free_domheap_page(pg); + +- free_domheap_pages(p2m->root, P2M_ROOT_ORDER); ++ if ( p2m->root ) ++ free_domheap_pages(p2m->root, P2M_ROOT_ORDER); + + p2m->root = NULL; + +-- +2.1.4 + -- cgit v1.2.3