From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@linaro.org>
Cc: "Marc-André Lureau" <marcandre.lureau@gmail.com>,
"Mauro Matteo Cascella" <mcascell@redhat.com>,
qemu-devel@nongnu.org, kraxel@redhat.com, jacek.halon@gmail.com,
"Richard Henderson" <richard.henderson@linaro.org>
Subject: Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc
Date: Tue, 23 May 2023 09:09:46 +0100 [thread overview]
Message-ID: <ZGx0ylB10aLWchuf@redhat.com> (raw)
In-Reply-To: <fcf99624-9a48-6760-a28d-bb88bce6572f@linaro.org>
On Mon, May 22, 2023 at 08:55:02PM +0200, Philippe Mathieu-Daudé wrote:
> On 9/5/23 09:13, Marc-André Lureau wrote:
> > Hi
> >
> > On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella
> > <mcascell@redhat.com <mailto:mcascell@redhat.com>> wrote:
> >
> > The cursor_alloc function still accepts a signed integer for both
> > the cursor
> > width and height. A specially crafted negative width/height could
> > make datasize
> > wrap around and cause the next allocation to be 0, potentially
> > leading to a
> > heap buffer overflow. Modify QEMUCursor struct and cursor_alloc
> > prototype to
> > accept unsigned ints.
> >
> > Fixes: CVE-2023-1601
> > Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc
> > (CVE-2021-4206)")
> > Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com
> > <mailto:mcascell@redhat.com>>
> > Reported-by: Jacek Halon <jacek.halon@gmail.com
> > <mailto:jacek.halon@gmail.com>>
> >
> >
> > Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com
> > <mailto:marcandre.lureau@redhat.com>>
> >
> > It looks like this is not exploitable, QXL code uses u16 types, and
>
> 0xffff * 0xffff * 4 still overflows on 32-bit host, right?
cursor_alloc() will reject 0xffff:
if (width > 512 || height > 512) {
return NULL;
}
>
> > VMWare VGA checks for values > 256. Other paths use fixed size.
> >
> > ---
> > include/ui/console.h | 4 ++--
> > ui/cursor.c | 2 +-
> > 2 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/include/ui/console.h b/include/ui/console.h
> > index 2a8fab091f..92a4d90a1b 100644
> > --- a/include/ui/console.h
> > +++ b/include/ui/console.h
> > @@ -144,13 +144,13 @@ typedef struct QemuUIInfo {
> >
> > /* cursor data format is 32bit RGBA */
> > typedef struct QEMUCursor {
> > - int width, height;
> > + uint32_t width, height;
> > int hot_x, hot_y;
> > int refcount;
> > uint32_t data[];
> > } QEMUCursor;
> >
> > -QEMUCursor *cursor_alloc(int width, int height);
> > +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height);
> > QEMUCursor *cursor_ref(QEMUCursor *c);
> > void cursor_unref(QEMUCursor *c);
> > QEMUCursor *cursor_builtin_hidden(void);
> > diff --git a/ui/cursor.c b/ui/cursor.c
> > index 6fe67990e2..b5fcb64839 100644
> > --- a/ui/cursor.c
> > +++ b/ui/cursor.c
> > @@ -90,7 +90,7 @@ QEMUCursor *cursor_builtin_left_ptr(void)
> > return cursor_parse_xpm(cursor_left_ptr_xpm);
> > }
> >
> > -QEMUCursor *cursor_alloc(int width, int height)
> > +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height)
> > {
> > QEMUCursor *c;
>
> Can't we check width/height > 0 && <= SOME_LIMIT_THAT_MAKES_SENSE?
>
> Maybe a 16K * 16K cursor is future proof and safe enough.
>
> > size_t datasize = width * height * sizeof(uint32_t);
> > -- 2.40.1
> >
> >
> >
> >
> > --
> > Marc-André Lureau
>
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2023-05-23 8:10 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 14:18 [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc Mauro Matteo Cascella
2023-05-09 7:13 ` Marc-André Lureau
2023-05-22 18:55 ` Philippe Mathieu-Daudé
2023-05-22 19:14 ` Mauro Matteo Cascella
2023-05-23 4:53 ` Gerd Hoffmann
2023-05-23 8:09 ` Daniel P. Berrangé [this message]
2023-05-23 8:37 ` Philippe Mathieu-Daudé
2023-05-23 12:57 ` Mauro Matteo Cascella
2023-05-23 14:06 ` Philippe Mathieu-Daudé
2023-05-23 15:17 ` Mauro Matteo Cascella
2023-05-10 18:23 ` Michael Tokarev
2023-05-22 18:05 ` Mauro Matteo Cascella
2023-05-23 8:16 ` Daniel P. Berrangé
2023-05-23 12:50 ` Mauro Matteo Cascella
2023-05-23 13:02 ` Daniel P. Berrangé
2023-05-23 15:02 ` Mauro Matteo Cascella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGx0ylB10aLWchuf@redhat.com \
--to=berrange@redhat.com \
--cc=jacek.halon@gmail.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=mcascell@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.