Date: Sat, 11 Feb 2017 08:43:45 +0000 (UTC) From: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= <royger@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r433847 - in branches/2017Q1/sysutils/xen-tools: . files Message-ID: <201702110843.v1B8hj7B058308@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: royger (src committer) Date: Sat Feb 11 08:43:45 2017 New Revision: 433847 URL: https://svnweb.freebsd.org/changeset/ports/433847 Log: MFH: r433792 xen: apply XSA-209 Sponsored by: Citrix Systems R&D Approved by: ports-secteam (junovitch) Added: branches/2017Q1/sysutils/xen-tools/files/xsa208-qemuu.patch - copied unchanged from r433792, head/sysutils/xen-tools/files/xsa208-qemuu.patch Modified: branches/2017Q1/sysutils/xen-tools/Makefile Directory Properties: branches/2017Q1/ (props changed) Modified: branches/2017Q1/sysutils/xen-tools/Makefile ============================================================================== --- branches/2017Q1/sysutils/xen-tools/Makefile Sat Feb 11 08:38:13 2017 (r433846) +++ branches/2017Q1/sysutils/xen-tools/Makefile Sat Feb 11 08:43:45 2017 (r433847) @@ -3,7 +3,7 @@ PORTNAME= xen PKGNAMESUFFIX= -tools PORTVERSION= 4.7.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils emulators MASTER_SITES= http://downloads.xenproject.org/release/xen/${PORTVERSION}/ Copied: branches/2017Q1/sysutils/xen-tools/files/xsa208-qemuu.patch (from r433792, head/sysutils/xen-tools/files/xsa208-qemuu.patch) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q1/sysutils/xen-tools/files/xsa208-qemuu.patch Sat Feb 11 08:43:45 2017 (r433847, copy of r433792, head/sysutils/xen-tools/files/xsa208-qemuu.patch) @@ -0,0 +1,45 @@ +From: Li Qiang <address@hidden> + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +Signed-off-by: Li Qiang <address@hidden> +Message-id: address@hidden + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] + +Cc: address@hidden +Cc: P J P <address@hidden> +Cc: Laszlo Ersek <address@hidden> +Cc: Paolo Bonzini <address@hidden> +Cc: Wolfgang Bumiller <address@hidden> +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann <address@hidden> +--- + hw/display/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index bdb092e..3bbe3d5 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + } + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max > s->vga.vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vga.vram_size) { + return true; + } + } else { +-- +1.8.3.1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702110843.v1B8hj7B058308>