[Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712)

[Gerd Hoffmann]

  Hi,

Here comes a pull request for 2.6, fixing two security issues in the
vga emulation code.

The first one (CVE-2016-3710, patch #1) is pretty serious, allowing the
guest read and write host memory.  Possibly allows the guest to break
out of the vm.

The second one (CVE-2016-3712) is a read overflow.  DoS only (allows the
guest crash qemu).

Both flaws are simliar:  Programming the vga using both bochs vbe
registers and standard vga registers, create a unusual video mode,
bypass sanity checks that way.  See actual patch descriptions for more
details.

please pull,
  Gerd

The following changes since commit 277abf15a60f7653bfb05ffb513ed74ffdaea1b7:

  configure: Check if struct fsxattr is available from linux header (2016-05-02 
13:04:26 +0100)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/pull-vga-20160509-1

for you to fetch changes up to fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7:

  vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). 
(2016-05-02 16:02:59 +0200)

----------------------------------------------------------------
vga security fixes (CVE-2016-3710, CVE-2016-3712)

----------------------------------------------------------------
Gerd Hoffmann (5):
      vga: fix banked access bounds checking (CVE-2016-3710)
      vga: add vbe_enabled() helper
      vga: factor out vga register setup
      vga: update vga register setup on vbe changes
      vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).

 hw/display/vga.c | 122 +++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 78 insertions(+), 44 deletions(-)