Bastian Blank
2007-Oct-04 07:02 UTC
[Pkg-xen-changes] r462 - in branches/etch/xen-3.0/debian: . patches
Author: waldi
Date: Thu Oct 4 07:02:42 2007
New Revision: 462
Log:
* debian/changelog, debian/patches/00list: Update.
* debian/patches/CVE-2007-1320.dpatch: Add.
Added:
branches/etch/xen-3.0/debian/patches/CVE-2007-1320.dpatch (contents, props
changed)
Modified:
branches/etch/xen-3.0/debian/changelog
branches/etch/xen-3.0/debian/patches/00list
Modified: branches/etch/xen-3.0/debian/changelog
=============================================================================---
branches/etch/xen-3.0/debian/changelog (original)
+++ branches/etch/xen-3.0/debian/changelog Thu Oct 4 07:02:42 2007
@@ -3,8 +3,11 @@
* Use linux-support-2.6.18-5.
* Don''t use exec with untrusted values in pygrub. (closes: #444430)
See CVE-2007-4993.
+ * Add bounds checks for cirrus bitblit memory accesses in qemu.
+ (closes: #444007)
+ See CVE-2007-1320.
- -- Bastian Blank <waldi at debian.org> Thu, 04 Oct 2007 08:56:22 +0200
+ -- Bastian Blank <waldi at debian.org> Thu, 04 Oct 2007 09:01:09 +0200
xen-3.0 (3.0.3-0-2) unstable; urgency=medium
Modified: branches/etch/xen-3.0/debian/patches/00list
=============================================================================---
branches/etch/xen-3.0/debian/patches/00list (original)
+++ branches/etch/xen-3.0/debian/patches/00list Thu Oct 4 07:02:42 2007
@@ -9,3 +9,4 @@
path-relative
not-reinvent-udev
CVE-2007-4993
+CVE-2007-1320
Added: branches/etch/xen-3.0/debian/patches/CVE-2007-1320.dpatch
=============================================================================---
(empty file)
+++ branches/etch/xen-3.0/debian/patches/CVE-2007-1320.dpatch Thu Oct 4
07:02:42 2007
@@ -0,0 +1,365 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+ at DPATCH@
+diff -r a99093e602c6 -r 9e86260b95a4 tools/ioemu/hw/cirrus_vga.c
+--- a/tools/ioemu/hw/cirrus_vga.c Tue Apr 24 16:52:15 2007 +0100
++++ b/tools/ioemu/hw/cirrus_vga.c Tue Apr 24 17:02:07 2007 +0100
+@@ -601,7 +601,8 @@ static void cirrus_invalidate_region(Cir
+ off_cur_end = off_cur + bytesperline;
+ off_cur &= TARGET_PAGE_MASK;
+ while (off_cur < off_cur_end) {
+- cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
++ cpu_physical_memory_set_dirty(s->vram_offset +
++ (off_cur & s->cirrus_addr_mask));
+ off_cur += TARGET_PAGE_SIZE;
+ }
+ off_begin += off_pitch;
+diff -r a99093e602c6 -r 9e86260b95a4 tools/ioemu/hw/cirrus_vga_rop.h
+--- a/tools/ioemu/hw/cirrus_vga_rop.h Tue Apr 24 16:52:15 2007 +0100
++++ b/tools/ioemu/hw/cirrus_vga_rop.h Tue Apr 24 17:02:07 2007 +0100
+@@ -22,18 +22,36 @@
+ * THE SOFTWARE.
+ */
+
++#define get_base(p, s, b) do { \
++ if ((p) >= (s)->vram_ptr && (p) < (s)->vram_ptr +
(s)->vram_size) \
++ (b) = (s)->vram_ptr; \
++ else if ((p) >= &(s)->cirrus_bltbuf[0] && \
++ (p) < &(s)->cirrus_bltbuf[CIRRUS_BLTBUFSIZE]) \
++ (b) = &(s)->cirrus_bltbuf[0]; \
++ else \
++ return; \
++} while(0)
++
++#define m(x) ((x) & s->cirrus_addr_mask)
++
+ static void
+ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
+- uint8_t *dst,const uint8_t *src,
++ uint8_t *dst_,const uint8_t *src_,
+ int dstpitch,int srcpitch,
+ int bltwidth,int bltheight)
+ {
+ int x,y;
++ uint32_t dst, src;
++ uint8_t *dst_base, *src_base;
++ get_base(dst_, s, dst_base);
++ get_base(src_, s, src_base);
++ dst = dst_ - dst_base;
++ src = src_ - src_base;
+ dstpitch -= bltwidth;
+ srcpitch -= bltwidth;
+ for (y = 0; y < bltheight; y++) {
+ for (x = 0; x < bltwidth; x++) {
+- ROP_OP(*dst, *src);
++ ROP_OP(*(dst_base + m(dst)), *(src_base + m(src)));
+ dst++;
+ src++;
+ }
+@@ -44,16 +62,22 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C
+
+ static void
+ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
+- uint8_t *dst,const uint8_t *src,
++ uint8_t *dst_,const uint8_t *src_,
+ int dstpitch,int srcpitch,
+ int bltwidth,int bltheight)
+ {
+ int x,y;
++ uint32_t dst, src;
++ uint8_t *dst_base, *src_base;
++ get_base(dst_, s, dst_base);
++ get_base(src_, s, src_base);
++ dst = dst_ - dst_base;
++ src = src_ - src_base;
+ dstpitch += bltwidth;
+ srcpitch += bltwidth;
+ for (y = 0; y < bltheight; y++) {
+ for (x = 0; x < bltwidth; x++) {
+- ROP_OP(*dst, *src);
++ ROP_OP(*(dst_base + m(dst)), *(src_base + m(src)));
+ dst--;
+ src--;
+ }
+@@ -76,3 +100,6 @@ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(
+
+ #undef ROP_NAME
+ #undef ROP_OP
++
++#undef get_base
++#undef m
+diff -r a99093e602c6 -r 9e86260b95a4 tools/ioemu/hw/cirrus_vga_rop2.h
+--- a/tools/ioemu/hw/cirrus_vga_rop2.h Tue Apr 24 16:52:15 2007 +0100
++++ b/tools/ioemu/hw/cirrus_vga_rop2.h Tue Apr 24 17:02:07 2007 +0100
+@@ -23,36 +23,42 @@
+ */
+
+ #if DEPTH == 8
+-#define PUTPIXEL() ROP_OP(d[0], col)
++#define PUTPIXEL() ROP_OP((dst_base + m(d))[0], col)
+ #elif DEPTH == 16
+-#define PUTPIXEL() ROP_OP(((uint16_t *)d)[0], col);
++#define PUTPIXEL() ROP_OP(((uint16_t *)(dst_base + m(d)))[0], col);
+ #elif DEPTH == 24
+-#define PUTPIXEL() ROP_OP(d[0], col); \
+- ROP_OP(d[1], (col >> 8)); \
+- ROP_OP(d[2], (col >> 16))
++#define PUTPIXEL() ROP_OP((dst_base + m(d))[0], col); \
++ ROP_OP((dst_base + m(d))[1], (col >> 8)); \
++ ROP_OP((dst_base + m(d))[2], (col >> 16))
+ #elif DEPTH == 32
+-#define PUTPIXEL() ROP_OP(((uint32_t *)d)[0], col)
++#define PUTPIXEL() ROP_OP(((uint32_t *)(dst_base + m(d)))[0], col)
+ #else
+ #error unsupported DEPTH
+ #endif
+
+ static void
+ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
+- (CirrusVGAState * s, uint8_t * dst,
+- const uint8_t * src,
+- int dstpitch, int srcpitch,
+- int bltwidth, int bltheight)
+-{
+- uint8_t *d;
++ (CirrusVGAState * s, uint8_t * dst_,
++ const uint8_t * src_,
++ int dstpitch, int srcpitch,
++ int bltwidth, int bltheight)
++{
++ uint8_t *dst_base, *src_base;
++ uint32_t src, dst;
++ uint32_t d;
+ int x, y, pattern_y, pattern_pitch, pattern_x;
+ unsigned int col;
+- const uint8_t *src1;
++ uint32_t src1;
+ #if DEPTH == 24
+ int skipleft = s->gr[0x2f] & 0x1f;
+ #else
+ int skipleft = (s->gr[0x2f] & 0x07) * (DEPTH / 8);
+ #endif
+
++ get_base(dst_, s, dst_base);
++ get_base(src_, s, src_base);
++ dst = dst_ - dst_base;
++ src = src_ - src_base;
+ #if DEPTH == 8
+ pattern_pitch = 8;
+ #elif DEPTH == 16
+@@ -67,19 +73,19 @@ glue(glue(glue(cirrus_patternfill_, ROP_
+ src1 = src + pattern_y * pattern_pitch;
+ for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) {
+ #if DEPTH == 8
+- col = src1[pattern_x];
++ col = *(src_base + m(src1 + pattern_x));
+ pattern_x = (pattern_x + 1) & 7;
+ #elif DEPTH == 16
+- col = ((uint16_t *)(src1 + pattern_x))[0];
++ col = *(uint16_t *)(src_base + m(src1 + pattern_x));
+ pattern_x = (pattern_x + 2) & 15;
+ #elif DEPTH == 24
+ {
+- const uint8_t *src2 = src1 + pattern_x * 3;
++ const uint8_t *src2 = src_base + m(src1 + pattern_x * 3);
+ col = src2[0] | (src2[1] << 8) | (src2[2] << 16);
+ pattern_x = (pattern_x + 1) & 7;
+ }
+ #else
+- col = ((uint32_t *)(src1 + pattern_x))[0];
++ col = *(uint32_t *)(src_base + m(src1 + pattern_x));
+ pattern_x = (pattern_x + 4) & 31;
+ #endif
+ PUTPIXEL();
+@@ -93,12 +99,14 @@ glue(glue(glue(cirrus_patternfill_, ROP_
+ /* NOTE: srcpitch is ignored */
+ static void
+ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
+- (CirrusVGAState * s, uint8_t * dst,
+- const uint8_t * src,
+- int dstpitch, int srcpitch,
+- int bltwidth, int bltheight)
+-{
+- uint8_t *d;
++ (CirrusVGAState * s, uint8_t * dst_,
++ const uint8_t * src_,
++ int dstpitch, int srcpitch,
++ int bltwidth, int bltheight)
++{
++ uint8_t *dst_base, *src_base;
++ uint32_t src, dst;
++ uint32_t d;
+ int x, y;
+ unsigned bits, bits_xor;
+ unsigned int col;
+@@ -112,6 +120,10 @@ glue(glue(glue(cirrus_colorexpand_transp
+ int dstskipleft = srcskipleft * (DEPTH / 8);
+ #endif
+
++ get_base(dst_, s, dst_base);
++ get_base(src_, s, src_base);
++ dst = dst_ - dst_base;
++ src = src_ - src_base;
+ if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) {
+ bits_xor = 0xff;
+ col = s->cirrus_blt_bgcol;
+@@ -122,12 +134,12 @@ glue(glue(glue(cirrus_colorexpand_transp
+
+ for(y = 0; y < bltheight; y++) {
+ bitmask = 0x80 >> srcskipleft;
+- bits = *src++ ^ bits_xor;
++ bits = *(src_base + m(src++)) ^ bits_xor;
+ d = dst + dstskipleft;
+ for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
+ if ((bitmask & 0xff) == 0) {
+ bitmask = 0x80;
+- bits = *src++ ^ bits_xor;
++ bits = *(src_base + m(src++)) ^ bits_xor;
+ }
+ index = (bits & bitmask);
+ if (index) {
+@@ -142,13 +154,15 @@ glue(glue(glue(cirrus_colorexpand_transp
+
+ static void
+ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
+- (CirrusVGAState * s, uint8_t * dst,
+- const uint8_t * src,
+- int dstpitch, int srcpitch,
+- int bltwidth, int bltheight)
+-{
++ (CirrusVGAState * s, uint8_t * dst_,
++ const uint8_t * src_,
++ int dstpitch, int srcpitch,
++ int bltwidth, int bltheight)
++{
++ uint8_t *dst_base, *src_base;
++ uint32_t src, dst;
+ uint32_t colors[2];
+- uint8_t *d;
++ uint32_t d;
+ int x, y;
+ unsigned bits;
+ unsigned int col;
+@@ -156,16 +170,20 @@ glue(glue(glue(cirrus_colorexpand_, ROP_
+ int srcskipleft = s->gr[0x2f] & 0x07;
+ int dstskipleft = srcskipleft * (DEPTH / 8);
+
++ get_base(dst_, s, dst_base);
++ get_base(src_, s, src_base);
++ dst = dst_ - dst_base;
++ src = src_ - src_base;
+ colors[0] = s->cirrus_blt_bgcol;
+ colors[1] = s->cirrus_blt_fgcol;
+ for(y = 0; y < bltheight; y++) {
+ bitmask = 0x80 >> srcskipleft;
+- bits = *src++;
++ bits = *(src_base + m(src++));
+ d = dst + dstskipleft;
+ for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
+ if ((bitmask & 0xff) == 0) {
+ bitmask = 0x80;
+- bits = *src++;
++ bits = *(src_base + m(src++));
+ }
+ col = colors[!!(bits & bitmask)];
+ PUTPIXEL();
+@@ -178,12 +196,14 @@ glue(glue(glue(cirrus_colorexpand_, ROP_
+
+ static void
+ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
+- (CirrusVGAState * s, uint8_t * dst,
+- const uint8_t * src,
+- int dstpitch, int srcpitch,
+- int bltwidth, int bltheight)
+-{
+- uint8_t *d;
++ (CirrusVGAState * s, uint8_t * dst_,
++ const uint8_t * src_,
++ int dstpitch, int srcpitch,
++ int bltwidth, int bltheight)
++{
++ uint8_t *dst_base, *src_base;
++ uint32_t src, dst;
++ uint32_t d;
+ int x, y, bitpos, pattern_y;
+ unsigned int bits, bits_xor;
+ unsigned int col;
+@@ -195,6 +215,10 @@ glue(glue(glue(cirrus_colorexpand_patter
+ int dstskipleft = srcskipleft * (DEPTH / 8);
+ #endif
+
++ get_base(dst_, s, dst_base);
++ get_base(src_, s, src_base);
++ dst = dst_ - dst_base;
++ src = src_ - src_base;
+ if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) {
+ bits_xor = 0xff;
+ col = s->cirrus_blt_bgcol;
+@@ -205,7 +229,7 @@ glue(glue(glue(cirrus_colorexpand_patter
+ pattern_y = s->cirrus_blt_srcaddr & 7;
+
+ for(y = 0; y < bltheight; y++) {
+- bits = src[pattern_y] ^ bits_xor;
++ bits = *(src_base + m(src + pattern_y)) ^ bits_xor;
+ bitpos = 7 - srcskipleft;
+ d = dst + dstskipleft;
+ for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
+@@ -222,25 +246,31 @@ glue(glue(glue(cirrus_colorexpand_patter
+
+ static void
+ glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
+- (CirrusVGAState * s, uint8_t * dst,
+- const uint8_t * src,
+- int dstpitch, int srcpitch,
+- int bltwidth, int bltheight)
+-{
++ (CirrusVGAState * s, uint8_t * dst_,
++ const uint8_t * src_,
++ int dstpitch, int srcpitch,
++ int bltwidth, int bltheight)
++{
++ uint8_t *dst_base, *src_base;
++ uint32_t src, dst;
+ uint32_t colors[2];
+- uint8_t *d;
++ uint32_t d;
+ int x, y, bitpos, pattern_y;
+ unsigned int bits;
+ unsigned int col;
+ int srcskipleft = s->gr[0x2f] & 0x07;
+ int dstskipleft = srcskipleft * (DEPTH / 8);
+
++ get_base(dst_, s, dst_base);
++ get_base(src_, s, src_base);
++ dst = dst_ - dst_base;
++ src = src_ - src_base;
+ colors[0] = s->cirrus_blt_bgcol;
+ colors[1] = s->cirrus_blt_fgcol;
+ pattern_y = s->cirrus_blt_srcaddr & 7;
+
+ for(y = 0; y < bltheight; y++) {
+- bits = src[pattern_y];
++ bits = *(src_base + m(src + pattern_y));
+ bitpos = 7 - srcskipleft;
+ d = dst + dstskipleft;
+ for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
+@@ -257,13 +287,17 @@ static void
+ static void
+ glue(glue(glue(cirrus_fill_, ROP_NAME), _),DEPTH)
+ (CirrusVGAState *s,
+- uint8_t *dst, int dst_pitch,
++ uint8_t *dst_, int dst_pitch,
+ int width, int height)
+ {
+- uint8_t *d, *d1;
++ uint8_t *dst_base;
++ uint32_t dst;
++ uint32_t d, d1;
+ uint32_t col;
+ int x, y;
+
++ get_base(dst_, s, dst_base);
++ dst = dst_ - dst_base;
+ col = s->cirrus_blt_fgcol;
+
+ d1 = dst;