From: Anthony Liguori <anthony@codemonkey.ws>
To: Roland Dreier <rdreier@cisco.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH resend] vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow
Date: Mon, 11 Jan 2010 10:01:37 -0600 [thread overview]
Message-ID: <4B4B4B61.90303@codemonkey.ws> (raw)
In-Reply-To: <adamy0rvo5l.fsf_-_@roland-alpha.cisco.com>
On 01/05/2010 10:43 PM, Roland Dreier wrote:
> Check that the cursor dimensions passed from the guest for the
> DEFINE_CURSOR command don't overflow the available space in the
> cursor.image[] or cursor.mask[] arrays before copying data from the
> guest into those arrays.
>
> Signed-off-by: Roland Dreier<rolandd@cisco.com>
>
Applied. Thanks.
Regards,
Anthony Liguori
> ---
> Hi Anthony,
>
> as far as I can tell this seems to have slipped through the cracks. I
> think this is fairly important: it is a guest-triggerable stack smashing
> attack in the worst case.
>
> Thanks,
> Roland
>
> hw/vmware_vga.c | 7 +++++++
> 1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
> index 7ab1c79..5e969ae 100644
> --- a/hw/vmware_vga.c
> +++ b/hw/vmware_vga.c
> @@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
> cursor.height = y = vmsvga_fifo_read(s);
> vmsvga_fifo_read(s);
> cursor.bpp = vmsvga_fifo_read(s);
> +
> + if (SVGA_BITMAP_SIZE(x, y)> sizeof cursor.mask ||
> + SVGA_PIXMAP_SIZE(x, y, cursor.bpp)> sizeof cursor.image) {
> + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
> + goto badcmd;
> + }
> +
> for (args = 0; args< SVGA_BITMAP_SIZE(x, y); args ++)
> cursor.mask[args] = vmsvga_fifo_read_raw(s);
> for (args = 0; args< SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)
>
>
>
>
prev parent reply other threads:[~2010-01-11 16:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-17 22:27 [Qemu-devel] [PATCH to consider for 0.12] vmware_vga: Don't crash on too-big DEFINE_CURSOR command Roland Dreier
2009-12-17 22:34 ` [Qemu-devel] " Anthony Liguori
2009-12-17 22:38 ` Roland Dreier
2009-12-17 22:49 ` Anthony Liguori
2009-12-17 22:41 ` Roland Dreier
2009-12-17 22:48 ` Anthony Liguori
2009-12-20 18:06 ` Roland Dreier
2010-01-06 4:43 ` [Qemu-devel] [PATCH resend] vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow Roland Dreier
2010-01-11 16:01 ` Anthony Liguori [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B4B4B61.90303@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=qemu-devel@nongnu.org \
--cc=rdreier@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.