qemu-e2k/hw
Li Qiang 62d4c6bd52 cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-02-02 15:58:23 +01:00
..
9pfs This pull request fixes a 2.9 regression and a long standing bug that can 2017-01-25 17:54:14 +00:00
acpi machine: Make possible_cpu_arch_ids() return const pointer 2017-01-23 21:25:37 -02:00
adc
alpha
arm * SCSI max_transfer support for scsi-generic (Eric) 2017-01-30 10:23:20 +00:00
audio
block pflash_cfi01: fix per-device sector length in CFI table 2017-01-27 15:20:22 +00:00
bt chardev: qom-ify 2017-01-27 18:08:00 +01:00
char * SCSI max_transfer support for scsi-generic (Eric) 2017-01-30 10:23:20 +00:00
core char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
cpu Introduce DEVICE_CATEGORY_CPU for CPU devices 2017-01-27 18:07:31 +01:00
cris
display cirrus: fix oob access issue (CVE-2017-2615) 2017-02-02 15:58:23 +01:00
dma dma: omap: check dma channel data_type 2017-01-27 15:29:08 +00:00
gpio
i2c arm: Uniquely name imx25 I2C buses. 2017-01-20 11:15:06 +00:00
i386 icount: update instruction counter on apic patching 2017-01-27 18:07:30 +01:00
ide
input
intc * SCSI max_transfer support for scsi-generic (Eric) 2017-01-30 10:23:20 +00:00
ipack
ipmi
isa char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
lm32 char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
m68k m68k: QOMify the MCF Fast Ethernet Controller device 2017-01-20 10:36:38 +08:00
mem
microblaze
mips char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
misc char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
moxie
net arm: stellaris: make MII accesses complete immediately 2017-01-27 15:29:08 +00:00
nios2 nios2: Add Altera 10M50 GHRD emulation 2017-01-24 13:10:35 -08:00
nvram migration: extend VMStateInfo 2017-01-24 17:54:47 +00:00
openrisc
pci trivial patches for 2017-01-24 2017-01-25 10:42:26 +00:00
pci-bridge PCI/migration merge vmstate_pci_device and vmstate_pcie_device 2017-01-24 18:00:31 +00:00
pci-host
pcmcia
ppc hw: Fix typos found by codespell 2017-01-24 23:26:52 +03:00
s390x hw: Fix typos found by codespell 2017-01-24 23:26:52 +03:00
scsi hw/scsi: Fix debug message of cdb structure in scsi-generic 2017-01-27 18:07:31 +01:00
sd
sh4 cputlb: drop flush_global flag from tlb_flush 2017-01-13 14:24:37 +00:00
smbios stubs: move smbios stubs to hw/smbios 2017-01-16 17:52:35 +01:00
sparc
sparc64 target-sparc: fix up niagara machine 2017-01-18 22:03:44 +01:00
ssi aspeed/smc: handle dummy bytes when doing fast reads in command mode 2017-01-27 15:20:20 +00:00
timer replay: don't use rtc clock on loadvm phase 2017-01-27 18:07:30 +01:00
tpm
tricore
unicore32
usb char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
vfio vfio: remove a duplicated word in comments 2017-01-24 23:26:53 +03:00
virtio trivial patches for 2017-01-24 2017-01-25 10:42:26 +00:00
watchdog
xen
xenpv
xtensa target/xtensa: refactor CCOUNT/CCOMPARE 2017-01-15 13:01:55 -08:00
Makefile.objs acpi: filter based on CONFIG_ACPI_X86 rather than TARGET 2017-01-16 17:52:35 +01:00