Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

[Laszlo Ersek]

On 01/25/17 08:18, Gerd Hoffmann wrote:
>   Hi,
> 
>>> The negative pitch means (I think) that "addr" points to the lower
>>> left corner of the rectangle.
>>>
>>> The second part guarantees that the last blitted byte fits (lower
>>> right corner).
>>
>> To which Gerd responded "upper left". In retrospect I don't understand
>> why we didn't discuss that question further, as it now seems that we
>> were both wrong -- "addr" stands for bottom right, in the negative pitch
>> case.
> 
> /me looks at d3532a0db02296e687711b8cdc7791924efccea0 and I can't
> remember I wrote that code :-o

Haha, happens to me too :)

> And I can't remember the discussion either.
> 
> The good thing is I probably looked more careful at the code because of
> that ...
> 
>> Unfortunately, the original patch was meant to address the
>> then-embargoed CVE-2014-8106. Since we have a bug in that code (= a
>> security fix), this issue should have been reported privately as well,
> 
> It has been reported privately first.  I've actually suggested to send
> it to the public list without embargo, given that we are moving away
> from cirrus so this is less critical than it used to be two years ago.
> Cirrus isn't the default display adapter any more in qemu, since years,
> and management apps (virt-manager, ovirt, ...) are following.

Ah, I see -- a CVE is justified, but an embargo: likely not. Makes sense.

Thanks!
Laszlo