Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_

From:	Mauro Matteo Cascella
Subject:	Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
Date:	Fri, 25 Nov 2022 17:22:52 +0100

On Fri, Nov 25, 2022 at 4:40 PM Philippe Mathieu-Daudé
<philmd@linaro.org> wrote:
>
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
>
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.

This is now CVE-2022-4144. Please add proper "Fixes:" tag, if possible.

Thank you for the fix.

> Worth considering for 7.2?
>
> Regards,
>
> Phil.
>
> Philippe Mathieu-Daudé (4):
>   hw/display/qxl: Have qxl_log_command Return early if no log_cmd
>     handler
>   hw/display/qxl: Document qxl_phys2virt()
>   hw/display/qxl: Pass qxl_phys2virt size
>   hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
>
>  hw/display/qxl-logger.c | 22 +++++++++++++++++++---
>  hw/display/qxl-render.c | 11 +++++++----
>  hw/display/qxl.c        | 25 +++++++++++++++++++------
>  hw/display/qxl.h        | 23 ++++++++++++++++++++++-
>  4 files changed, 67 insertions(+), 14 deletions(-)
>
> --
> 2.38.1
>


-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

[Prev in Thread]

Current Thread

[Next in Thread]

[RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/25
- [RFC PATCH-for-7.2 1/4] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler, Philippe Mathieu-Daudé, 2022/11/25
  - Re: [RFC PATCH-for-7.2 1/4] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler, Marc-André Lureau, 2022/11/28
- [RFC PATCH-for-7.2 2/4] hw/display/qxl: Document qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/25
  - Re: [RFC PATCH-for-7.2 2/4] hw/display/qxl: Document qxl_phys2virt(), Marc-André Lureau, 2022/11/28
- Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(), Mauro Matteo Cascella <=
- [RFC PATCH-for-7.2 3/4] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/25
  - [RFC PATCH-for-7.2 4/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144), Philippe Mathieu-Daudé, 2022/11/25
    - Re: [RFC PATCH-for-7.2 4/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144), Marc-André Lureau, 2022/11/28
    - Re: [RFC PATCH-for-7.2 4/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144), Philippe Mathieu-Daudé, 2022/11/28
  - Re: [RFC PATCH-for-7.2 3/4] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Marc-André Lureau, 2022/11/28
    - Re: [RFC PATCH-for-7.2 3/4] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/25

Prev by Date: [PATCH] tests/qtest/vhost-user-blk-test: don't abort all qtests on missing envar
Next by Date: Re: [Virtio-fs] [PATCH] virtiofsd: Add `sigreturn` to the seccomp whitelist
Previous by thread: Re: [RFC PATCH-for-7.2 2/4] hw/display/qxl: Document qxl_phys2virt()
Next by thread: [RFC PATCH-for-7.2 3/4] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
Index(es):
- Date
- Thread