[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 56/81] cirrus: fix oob access issue (CVE-2017-2615)
|
From: |
Michael Roth |
|
Subject: |
[Qemu-devel] [PATCH 56/81] cirrus: fix oob access issue (CVE-2017-2615) |
|
Date: |
Mon, 20 Mar 2017 18:08:20 -0500 |
From: Li Qiang <address@hidden>
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
Signed-off-by: Li Qiang <address@hidden>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
Cc: address@hidden
Cc: P J P <address@hidden>
Cc: Laszlo Ersek <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Wolfgang Bumiller <address@hidden>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Reviewed-by: Laszlo Ersek <address@hidden>
(cherry picked from commit 62d4c6bd5263bb8413a06c80144fc678df6dfb64)
Signed-off-by: Michael Roth <address@hidden>
---
hw/display/cirrus_vga.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 379910d..629a5c8 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
}
if (pitch < 0) {
int64_t min = addr
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
- int32_t max = addr
- + s->cirrus_blt_width;
- if (min < 0 || max > s->vga.vram_size) {
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
+ - s->cirrus_blt_width;
+ if (min < -1 || addr >= s->vga.vram_size) {
return true;
}
} else {
--
2.7.4
- [Qemu-devel] [PATCH 58/81] ahci: advertise HOST_CAP_64, (continued)
- [Qemu-devel] [PATCH 58/81] ahci: advertise HOST_CAP_64, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 62/81] block/nfs: fix naming of runtime opts, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 65/81] target-ppc, tcg: fix usermode segfault with pthread_create(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 67/81] target/sparc: Restore ldstub of odd asis, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 68/81] apic: reset apic_delivered global variable on machine reset, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 41/81] ui/gtk: fix crash at startup when no console is available, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 44/81] qemu-thread: fix qemu_thread_set_name() race in qemu_thread_create(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 49/81] char: fix ctrl-a b not working, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 51/81] tcg/aarch64: Fix tcg_out_movi, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 52/81] ui: use evdev keymap when running under wayland, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 56/81] cirrus: fix oob access issue (CVE-2017-2615),
Michael Roth <=
- [Qemu-devel] [PATCH 70/81] qga: ignore EBUSY when freezing a filesystem, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 75/81] NetRxPkt: Do not try to pull more data than present, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 06/81] 9pfs: local: open/opendir: don't follow symlinks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 59/81] target/s390x: use "qemu" cpu model in user mode, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 74/81] NetRxPkt: Fix memory corruption on VLAN header stripping, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 69/81] target-i386: correctly propagate retaddr into SVM helpers, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 08/81] 9pfs: local: llistxattr: don't follow symlinks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 61/81] block/nfs: fix NULL pointer dereference in URI parsing, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 05/81] 9pfs: local: keep a file descriptor on the shared folder, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 64/81] vnc: do not disconnect on EAGAIN, Michael Roth, 2017/03/20