head 1.2; access; symbols pkgsrc-2020Q2:1.1.0.26 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.6 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.28 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.24 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.22 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.20 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.18 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.16 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.14 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.12 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.10 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.8 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.4 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.2 pkgsrc-2017Q1-base:1.1; locks; strict; comment @# @; 1.2 date 2020.08.19.10.39.25; author bouyer; state dead; branches; next 1.1; commitid DGAMglRf0Jde6FkC; 1.1 date 2017.03.20.18.09.21; author bouyer; state Exp; branches; next ; commitid bdpv829ls5LOHjKz; desc @@ 1.2 log @Remove xenkernel and xentools packages older than 4.11. They're not maintained anymore upstream, and don't build on supported NetBSD releases. @ text @$NetBSD: patch-XSA-209-2,v 1.1 2017/03/20 18:09:21 bouyer Exp $ From: Gerd Hoffmann Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination and blit width, at all. Oops. Fix it. Security impact: high. The missing blit destination check allows to write to host memory. Basically same as CVE-2014-8106 for the other blit variants. The missing blit width check allows to overflow cirrus_bltbuf, with the attractive target cirrus_srcptr (current cirrus_bltbuf write position) being located right after cirrus_bltbuf in CirrusVGAState. Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker hasn't full control over cirrus_srcptr though, only one byte can be changed. Once the first byte has been modified further writes land elsewhere. [ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj Reported-by: Gerd Hoffmann Signed-off-by: Gerd Hoffmann Signed-off-by: Ian Jackson --- diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c index e6c3893..45facb6 100644 --- qemu-xen-traditional/hw/cirrus_vga.c.orig +++ qemu-xen-traditional/hw/cirrus_vga.c @@@@ -900,6 +900,10 @@@@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) { int w; + if (blit_is_unsafe(s)) { + return 0; + } + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; s->cirrus_srcptr = &s->cirrus_bltbuf[0]; s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; @@@@ -925,6 +929,10 @@@@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) } s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; } + + /* the blit_is_unsafe call above should catch this */ + assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); + s->cirrus_srcptr = s->cirrus_bltbuf; s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; cirrus_update_memory_access(s); @ 1.1 log @Apply upstream patches for security fixes XSA-208, XSA-209 and XSA-211. Bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: $ @