falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
qemu-irix/hw/display
History
Gerd Hoffmann 44b86aa32e vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). 
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
registers, to make sure the vga registers will always have the
values needed by vbe mode.  This makes sure the sanity checks
applied by vbe_fixup_regs() are effective.

Without this guests can muck with shift_control, can turn on planar
vga modes or text mode emulation while VBE is active, making qemu
take code paths meant for CGA compatibility, but with the very
large display widths and heigts settable using VBE registers.

Which is good for one or another buffer overflow.  Not that
critical as they typically read overflows happening somewhere
in the display code.  So guests can DoS by crashing qemu with a
segfault, but it is probably not possible to break out of the VM.

Fixes: CVE-2016-3712
Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
Reported-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
 		2016-05-08 20:56:43 -05:00
..
Makefile.objs virtio-gpu: add 3d mode and virgl rendering support. 2015-10-08 10:31:35 +02:00
ads7846.c savevm: Remove all the unneeded version_minimum_id_old (arm) 2014-05-13 16:09:35 +01:00
blizzard.c blizzard: do not depend on VGA internals 2015-01-15 10:44:13 +03:00
blizzard_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
cg3.c hw: do not pass NULL to memory_region_init from instance_init 2015-10-09 15:25:56 +02:00
cirrus_vga.c cirrus_vga: QOMify 2015-05-19 11:40:01 +02:00
cirrus_vga_rop.h cirrus: Fix host CPU blits 2014-07-11 10:17:02 +02:00
cirrus_vga_rop2.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
exynos4210_fimd.c maint: avoid useless "if (foo) free(foo)" pattern 2015-09-11 10:21:38 +03:00
framebuffer.c framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer 2015-07-24 13:57:45 +02:00
framebuffer.h framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer 2015-07-24 13:57:45 +02:00
g364fb.c qerror: Move #include out of qerror.h 2015-06-22 18:20:40 +02:00
jazz_led.c jazz_led: Add missing break in switch case 2014-05-24 00:07:56 +04:00
milkymist-tmu2.c ui/opengl: Reduce build required libraries for opengl 2015-11-03 10:13:42 +01:00
milkymist-vgafb.c framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer 2015-07-24 13:57:45 +02:00
milkymist-vgafb_template.h milkymist-vgafb: swap pixel data in source buffer 2014-02-04 19:34:30 +01:00
omap_dss.c arm: Use g_new() & friends where that makes obvious sense 2015-09-07 10:39:27 +01:00
omap_lcd_template.h hw: use ld_p/st_p instead of ld_raw/st_raw 2014-06-05 16:04:17 +02:00
omap_lcdc.c arm: Use g_new() & friends where that makes obvious sense 2015-09-07 10:39:27 +01:00
pl110.c framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer 2015-07-24 13:57:45 +02:00
pl110_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
pxa2xx_lcd.c framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer 2015-07-24 13:57:45 +02:00
pxa2xx_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
qxl-logger.c hw/display/qxl-logger.c: Constify some variable 2015-06-23 20:23:39 +03:00
qxl-render.c typofixes - v4 2015-09-11 10:45:43 +03:00
qxl.c qxl: Use g_new() & friends where that makes obvious sense 2015-11-06 15:42:38 +03:00
qxl.h qxl: allow to specify head limit to qxl driver 2015-07-16 17:31:05 +02:00
sm501.c Fix bad error handling after memory_region_init_ram() 2015-09-18 14:39:29 +02:00
sm501_template.h hw: use ld_p/st_p instead of ld_raw/st_raw 2014-06-05 16:04:17 +02:00
ssd0303.c savevm: Remove all the unneeded version_minimum_id_old (arm) 2014-05-13 16:09:35 +01:00
ssd0323.c ssd0323: fix buffer overun on invalid state load 2014-05-05 22:15:02 +02:00
tc6393xb.c Fix bad error handling after memory_region_init_ram() 2015-09-18 14:39:29 +02:00
tc6393xb_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
tcx.c hw/display/tcx: Remove superfluous OBJECT() typecasts 2015-11-06 15:42:38 +03:00
vga-helpers.h vga: Rename vga_template.h to vga-helpers.h 2014-09-30 13:34:09 +02:00
vga-isa-mm.c vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
vga-isa.c isa: remove isa_mem_base variable 2015-02-13 14:09:28 +00:00
vga-pci.c virtio-vga: add virtio gpu device with vga compatibility 2015-06-12 10:13:23 +02:00
vga.c vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). 2016-05-08 20:56:43 -05:00
vga.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
vga_int.h virtio-vga: add virtio gpu device with vga compatibility 2015-06-12 10:13:23 +02:00
virtio-gpu-3d.c virtio-gpu: add 3d mode and virgl rendering support. 2015-10-08 10:31:35 +02:00
virtio-gpu-pci.c virtio-gpu: change licence from GPLv2 to GPLv2+ 2015-10-08 10:31:35 +02:00
virtio-gpu.c virtio-gpu: add cursor update tracepoint 2015-10-08 10:33:21 +02:00
virtio-vga.c virtio-gpu: use virtio_instance_init_common, fixup properties 2015-07-07 11:23:18 +02:00
vmware_vga.c vmsvga: more cursor checks 2015-10-20 09:26:36 +02:00
xenfb.c xenfb: avoid reading twice the same fields from the shared page 2016-03-15 12:20:35 -05:00