[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RFC PATCH-for-7.2 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys
From: |
Philippe Mathieu-Daudé |
Subject: |
[RFC PATCH-for-7.2 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() |
Date: |
Mon, 28 Nov 2022 14:48:27 +0100 |
Since v1:
- Addressed Marc-André review comments
- Moved overrun check in qxl_get_check_slot_offset()
memory_region_get_ram_ptr() returns a host pointer for a
MemoryRegion. Sometimes we do offset calculation using this
pointer without checking the underlying MemoryRegion size.
Wenxu Yin reported a buffer overrun in QXL. This series
aims to fix it. I haven't audited the other _get_ram_ptr()
uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
and add a safer helper which checks for overrun.
Worth considering for 7.2?
Regards,
Phil.
Philippe Mathieu-Daudé (5):
hw/display/qxl: Have qxl_log_command Return early if no log_cmd
handler
hw/display/qxl: Document qxl_phys2virt()
hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion
hw/display/qxl-logger.c | 22 +++++++++++++++++++---
hw/display/qxl-render.c | 12 ++++++++----
hw/display/qxl.c | 37 ++++++++++++++++++++++++++++---------
hw/display/qxl.h | 23 ++++++++++++++++++++++-
4 files changed, 77 insertions(+), 17 deletions(-)
--
2.38.1
- [RFC PATCH-for-7.2 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(),
Philippe Mathieu-Daudé <=
- [PATCH-for-7.2 1/5] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler, Philippe Mathieu-Daudé, 2022/11/28
- [PATCH-for-7.2 2/5] hw/display/qxl: Document qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Marc-André Lureau, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Gerd Hoffmann, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Gerd Hoffmann, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28