[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size t
From: |
Gerd Hoffmann |
Subject: |
Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() |
Date: |
Mon, 28 Nov 2022 16:49:24 +0100 |
On Mon, Nov 28, 2022 at 04:41:14PM +0100, Philippe Mathieu-Daudé wrote:
> On 28/11/22 16:08, Gerd Hoffmann wrote:
> > > @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t
> > > size, PCIQXLDevice *qxl,
> > > if (offset == size) {
> > > return;
> > > }
> > > - chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
> > > + chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, bytes);
> > > if (!chunk) {
> > > return;
> > > }
> >
> > Naa, its not that simple. You get a QXLDataChunk passed in which
> > typically is verified *excluding* dynamically-sized chunk->data.
>
> OK so IIUC 1/ this line should be:
>
> chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
> sizeof(QXLDataChunk));
Depends on whenever you do (2) inside or outside the loop ;)
> but 2/ we should check chunk->data[chunk->data_size] is valid (within
> the MR) before calling the memcpy(), right?
Yes.
take care,
Gerd
[RFC PATCH-for-7.2 4/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144), Philippe Mathieu-Daudé, 2022/11/28
[PATCH-for-8.0 5/5] hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion, Philippe Mathieu-Daudé, 2022/11/28