From: Peter Maydell <peter.maydell@linaro.org>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712)
Date: Mon, 9 May 2016 14:06:49 +0100 [thread overview]
Message-ID: <CAFEAcA9XOOuyBTaB-h6=RxfLCrAVnygMwA4bw0wKtsgw31aGyA@mail.gmail.com> (raw)
In-Reply-To: <1462798310-21395-1-git-send-email-kraxel@redhat.com>
On 9 May 2016 at 13:51, Gerd Hoffmann <kraxel@redhat.com> wrote:
> Hi,
>
> Here comes a pull request for 2.6, fixing two security issues in the
> vga emulation code.
>
> The first one (CVE-2016-3710, patch #1) is pretty serious, allowing the
> guest read and write host memory. Possibly allows the guest to break
> out of the vm.
>
> The second one (CVE-2016-3712) is a read overflow. DoS only (allows the
> guest crash qemu).
>
> Both flaws are simliar: Programming the vga using both bochs vbe
> registers and standard vga registers, create a unusual video mode,
> bypass sanity checks that way. See actual patch descriptions for more
> details.
>
> please pull,
> Gerd
>
> The following changes since commit 277abf15a60f7653bfb05ffb513ed74ffdaea1b7:
>
> configure: Check if struct fsxattr is available from linux header (2016-05-02 13:04:26 +0100)
>
> are available in the git repository at:
>
> git://git.kraxel.org/qemu tags/pull-vga-20160509-1
>
> for you to fetch changes up to fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7:
>
> vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). (2016-05-02 16:02:59 +0200)
>
> ----------------------------------------------------------------
> vga security fixes (CVE-2016-3710, CVE-2016-3712)
>
> ----------------------------------------------------------------
Applied to master, thanks. That was all we were waiting for to
release 2.6, so I will tag rc5 this afternoon and barring disaster
tag the final release (same contents) on Wednesday.
thanks
-- PMM
prev parent reply other threads:[~2016-05-09 13:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 12:51 [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712) Gerd Hoffmann
2016-05-09 12:51 ` [Qemu-devel] [PULL 1/5] vga: fix banked access bounds checking (CVE-2016-3710) Gerd Hoffmann
2016-05-09 12:51 ` [Qemu-devel] [PULL 2/5] vga: add vbe_enabled() helper Gerd Hoffmann
2016-05-09 12:51 ` [Qemu-devel] [PULL 3/5] vga: factor out vga register setup Gerd Hoffmann
2016-05-09 12:51 ` [Qemu-devel] [PULL 4/5] vga: update vga register setup on vbe changes Gerd Hoffmann
2016-05-09 12:51 ` [Qemu-devel] [PULL 5/5] vga: make sure vga register setup for vbe stays intact (CVE-2016-3712) Gerd Hoffmann
2016-05-09 13:06 ` Peter Maydell [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFEAcA9XOOuyBTaB-h6=RxfLCrAVnygMwA4bw0wKtsgw31aGyA@mail.gmail.com' \
--to=peter.maydell@linaro.org \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.