[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size t
|
From: |
Gerd Hoffmann |
|
Subject: |
Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() |
|
Date: |
Mon, 28 Nov 2022 16:08:53 +0100 |
> @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t size,
> PCIQXLDevice *qxl,
> if (offset == size) {
> return;
> }
> - chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
> + chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, bytes);
> if (!chunk) {
> return;
> }
Naa, its not that simple. You get a QXLDataChunk passed in which
typically is verified *excluding* dynamically-sized chunk->data.
Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in
qxl_cursor) goes access chunk.data[] without calling
qxl_unpack_chunks(), that needs additional verification too (or
switch it to call qxl_unpack_chunks, or just drop it because nobody
uses mono chrome cursors anyway).
take care,
Gerd
- [RFC PATCH-for-7.2 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- [PATCH-for-7.2 1/5] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler, Philippe Mathieu-Daudé, 2022/11/28
- [PATCH-for-7.2 2/5] hw/display/qxl: Document qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Marc-André Lureau, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(),
Gerd Hoffmann <=
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Gerd Hoffmann, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
[RFC PATCH-for-7.2 4/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144), Philippe Mathieu-Daudé, 2022/11/28