From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-devel@nongnu.org, kraxel@redhat.com,
marcandre.lureau@redhat.com, jacek.halon@gmail.com
Subject: Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc
Date: Tue, 23 May 2023 09:16:47 +0100 [thread overview]
Message-ID: <ZGx2bzKuwO6e4E2L@redhat.com> (raw)
In-Reply-To: <20230508141813.1086562-1-mcascell@redhat.com>
On Mon, May 08, 2023 at 04:18:13PM +0200, Mauro Matteo Cascella wrote:
> The cursor_alloc function still accepts a signed integer for both the cursor
> width and height. A specially crafted negative width/height could make datasize
> wrap around and cause the next allocation to be 0, potentially leading to a
> heap buffer overflow. Modify QEMUCursor struct and cursor_alloc prototype to
> accept unsigned ints.
>
I concur with Marc-Andre that there is no code path that can
actually trigger an overflow:
hw/display/ati.c: s->cursor = cursor_alloc(64, 64);
hw/display/vhost-user-gpu.c: s->current_cursor = cursor_alloc(64, 64);
hw/display/virtio-gpu.c: s->current_cursor = cursor_alloc(64, 64);
Not exploitable as fixed size
hw/display/qxl-render.c: c = cursor_alloc(cursor->header.width, cursor->header.height);
Cursor header defined as:
typedef struct SPICE_ATTR_PACKED QXLCursorHeader {
uint64_t unique;
uint16_t type;
uint16_t width;
uint16_t height;
uint16_t hot_spot_x;
uint16_t hot_spot_y;
} QXLCursorHeader;
So no negative values can be passed to cursor_alloc()
hw/display/vmware_vga.c: qc = cursor_alloc(c->width, c->height);
Where 'c' is defined as:
struct vmsvga_cursor_definition_s {
uint32_t width;
uint32_t height;
int id;
uint32_t bpp;
int hot_x;
int hot_y;
uint32_t mask[1024];
uint32_t image[4096];
};
and is also already bounds checked:
if (cursor.width > 256
|| cursor.height > 256
|| cursor.bpp > 32
|| SVGA_BITMAP_SIZE(x, y) > ARRAY_SIZE(cursor.mask)
|| SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
> ARRAY_SIZE(cursor.image)) {
goto badcmd;
}
> Fixes: CVE-2023-1601
> Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)")
Given there is no possible codepath that can overflow, CVE-2023-1601
looks invalid to me. It should be clsoed as not-a-bug and these two
Fixes lines removed.
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> Reported-by: Jacek Halon <jacek.halon@gmail.com>
> ---
> include/ui/console.h | 4 ++--
> ui/cursor.c | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
Even though it isn't fixing a bug, the change itself still makes
sense, because there's no reason a negative width/height is ever
appropriate. This protects us against accidentally introducing
future bugs, so with the two CVE Fixes lines removed:
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
>
> diff --git a/include/ui/console.h b/include/ui/console.h
> index 2a8fab091f..92a4d90a1b 100644
> --- a/include/ui/console.h
> +++ b/include/ui/console.h
> @@ -144,13 +144,13 @@ typedef struct QemuUIInfo {
>
> /* cursor data format is 32bit RGBA */
> typedef struct QEMUCursor {
> - int width, height;
> + uint32_t width, height;
> int hot_x, hot_y;
> int refcount;
> uint32_t data[];
> } QEMUCursor;
>
> -QEMUCursor *cursor_alloc(int width, int height);
> +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height);
> QEMUCursor *cursor_ref(QEMUCursor *c);
> void cursor_unref(QEMUCursor *c);
> QEMUCursor *cursor_builtin_hidden(void);
> diff --git a/ui/cursor.c b/ui/cursor.c
> index 6fe67990e2..b5fcb64839 100644
> --- a/ui/cursor.c
> +++ b/ui/cursor.c
> @@ -90,7 +90,7 @@ QEMUCursor *cursor_builtin_left_ptr(void)
> return cursor_parse_xpm(cursor_left_ptr_xpm);
> }
>
> -QEMUCursor *cursor_alloc(int width, int height)
> +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height)
> {
> QEMUCursor *c;
> size_t datasize = width * height * sizeof(uint32_t);
> --
> 2.40.1
>
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2023-05-23 8:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 14:18 [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc Mauro Matteo Cascella
2023-05-09 7:13 ` Marc-André Lureau
2023-05-22 18:55 ` Philippe Mathieu-Daudé
2023-05-22 19:14 ` Mauro Matteo Cascella
2023-05-23 4:53 ` Gerd Hoffmann
2023-05-23 8:09 ` Daniel P. Berrangé
2023-05-23 8:37 ` Philippe Mathieu-Daudé
2023-05-23 12:57 ` Mauro Matteo Cascella
2023-05-23 14:06 ` Philippe Mathieu-Daudé
2023-05-23 15:17 ` Mauro Matteo Cascella
2023-05-10 18:23 ` Michael Tokarev
2023-05-22 18:05 ` Mauro Matteo Cascella
2023-05-23 8:16 ` Daniel P. Berrangé [this message]
2023-05-23 12:50 ` Mauro Matteo Cascella
2023-05-23 13:02 ` Daniel P. Berrangé
2023-05-23 15:02 ` Mauro Matteo Cascella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGx2bzKuwO6e4E2L@redhat.com \
--to=berrange@redhat.com \
--cc=jacek.halon@gmail.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mcascell@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.