[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 56/81] cirrus: fix oob access issue (CVE-2017-2615)
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 56/81] cirrus: fix oob access issue (CVE-2017-2615) |
Date: |
Mon, 20 Mar 2017 18:08:20 -0500 |
From: Li Qiang <address@hidden>
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
Signed-off-by: Li Qiang <address@hidden>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
Cc: address@hidden
Cc: P J P <address@hidden>
Cc: Laszlo Ersek <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Wolfgang Bumiller <address@hidden>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Reviewed-by: Laszlo Ersek <address@hidden>
(cherry picked from commit 62d4c6bd5263bb8413a06c80144fc678df6dfb64)
Signed-off-by: Michael Roth <address@hidden>
---
hw/display/cirrus_vga.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 379910d..629a5c8 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
}
if (pitch < 0) {
int64_t min = addr
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
- int32_t max = addr
- + s->cirrus_blt_width;
- if (min < 0 || max > s->vga.vram_size) {
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
+ - s->cirrus_blt_width;
+ if (min < -1 || addr >= s->vga.vram_size) {
return true;
}
} else {
--
2.7.4
- [Qemu-stable] [PATCH 57/81] cpu-exec: fix icount out-of-bounds access, (continued)
- [Qemu-stable] [PATCH 57/81] cpu-exec: fix icount out-of-bounds access, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 59/81] target/s390x: use "qemu" cpu model in user mode, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 64/81] vnc: do not disconnect on EAGAIN, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 68/81] apic: reset apic_delivered global variable on machine reset, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 73/81] eth: Extend vlan stripping functions, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 40/81] pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 47/81] display: cirrus: ignore source pitch value as needed in blit_is_unsafe, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 04/81] 9pfs: introduce relative_openat_nofollow() helper, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 51/81] tcg/aarch64: Fix tcg_out_movi, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 60/81] s390x/kvm: fix small race reboot vs. cmma, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 56/81] cirrus: fix oob access issue (CVE-2017-2615),
Michael Roth <=
- [Qemu-stable] [PATCH 58/81] ahci: advertise HOST_CAP_64, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 53/81] virtio: fix up max size checks, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 62/81] block/nfs: fix naming of runtime opts, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 67/81] target/sparc: Restore ldstub of odd asis, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 75/81] NetRxPkt: Do not try to pull more data than present, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 81/81] thread-pool: add missing qemu_bh_cancel in completion function, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 78/81] scsi: mptsas: fix the wrong reading size in fetch request, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 69/81] target-i386: correctly propagate retaddr into SVM helpers, Michael Roth, 2017/03/20
- [Qemu-stable] [PATCH 71/81] hmp: fix block_set_io_throttle, Michael Roth, 2017/03/20