[Qemu-devel] [PATCH v2 0/5] vmware-vga: fix CVE-2014-3689

[Qemu-devel] [PATCH v2 0/5] vmware-vga: fix CVE-2014-3689

[Gerd Hoffmann]

  Hi,

vmware-vga emulation lacks sanity checks in the hardware acceleration
(blit + fill) functions.  This patch series plugs the holes.

v2 changes:
 * small whitespace fixup.
 * do fullscreen update on invalid update requests.

cheers,
  Gerd

Gerd Hoffmann (5):
  vmware-vga: CVE-2014-3689: turn off hw accel
  vmware-vga: add vmsvga_verify_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect

 hw/display/vmware_vga.c | 94 ++++++++++++++++++++++++++++++++++---------------
 1 file changed, 66 insertions(+), 28 deletions(-)

-- 
1.8.3.1

[Qemu-devel] [PATCH] [sparse] fix build

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 configure | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure b/configure
index 9802e89..060c42a 100755
--- a/configure
+++ b/configure
@@ -4939,6 +4939,7 @@ echo "QEMU_CFLAGS=$QEMU_CFLAGS" >> $config_host_mak
 echo "QEMU_INCLUDES=$QEMU_INCLUDES" >> $config_host_mak
 if test "$sparse" = "yes" ; then
   echo "CC           := REAL_CC=\"\$(CC)\" cgcc"       >> $config_host_mak
+  echo "CXX          := REAL_CC=\"\$(CXX)\" cgcc"      >> $config_host_mak
   echo "HOST_CC      := REAL_CC=\"\$(HOST_CC)\" cgcc"  >> $config_host_mak
   echo "QEMU_CFLAGS  += -Wbitwise -Wno-transparent-union -Wno-old-initializer -Wno-non-pointer-null" >> $config_host_mak
 fi
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH] [sparse] fix build

[Gerd Hoffmann]

On Mi, 2014-10-15 at 12:10 +0200, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Oops, leftover patch file, please ignore this one.

sorry,

  Gerd

[Qemu-devel] [PATCH v2 1/5] vmware-vga: CVE-2014-3689: turn off hw accel

[Gerd Hoffmann]

Quick & easy stopgap for CVE-2014-3689:  We just compile out the
hardware acceleration functions which lack sanity checks.  Thankfully
we have capability bits for them (SVGA_CAP_RECT_COPY and
SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.

Subsequent patches will add the missing checks and re-enable the
hardware acceleration emulation.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vmware_vga.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 0c36c72..ec63290 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -29,8 +29,10 @@
 #include "hw/pci/pci.h"
 
 #undef VERBOSE
+#if 0
 #define HW_RECT_ACCEL
 #define HW_FILL_ACCEL
+#endif
 #define HW_MOUSE_ACCEL
 
 #include "vga_int.h"
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH v2 1/5] vmware-vga: CVE-2014-3689: turn off hw accel

[Don Koch]

On Wed, 15 Oct 2014 12:10:35 +0200
Gerd Hoffmann <kraxel@redhat.com> wrote:

> Quick & easy stopgap for CVE-2014-3689:  We just compile out the
> hardware acceleration functions which lack sanity checks.  Thankfully
> we have capability bits for them (SVGA_CAP_RECT_COPY and
> SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.
> 
> Subsequent patches will add the missing checks and re-enable the
> hardware acceleration emulation.
> 
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: Don Koch <dkoch@verizon.com>

> ---
>  hw/display/vmware_vga.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
> index 0c36c72..ec63290 100644
> --- a/hw/display/vmware_vga.c
> +++ b/hw/display/vmware_vga.c
> @@ -29,8 +29,10 @@
>  #include "hw/pci/pci.h"
>  
>  #undef VERBOSE
> +#if 0
>  #define HW_RECT_ACCEL
>  #define HW_FILL_ACCEL
> +#endif
>  #define HW_MOUSE_ACCEL
>  
>  #include "vga_int.h"
> -- 
> 1.8.3.1
> 
> 

[Qemu-devel] [PATCH v2 2/5] vmware-vga: add vmsvga_verify_rect

[Gerd Hoffmann]

Add verification function for rectangles, returning
true if verification passes and false otherwise.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vmware_vga.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index ec63290..ba73a1c 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -294,8 +294,59 @@ enum {
     SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
 };
 
+static inline bool vmsvga_verify_rect(DisplaySurface *surface,
+                                      const char *name,
+                                      int x, int y, int w, int h)
+{
+    if (x < 0) {
+        fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
+        return false;
+    }
+    if (x > SVGA_MAX_WIDTH) {
+        fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
+        return false;
+    }
+    if (w < 0) {
+        fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
+        return false;
+    }
+    if (w > SVGA_MAX_WIDTH) {
+        fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
+        return false;
+    }
+    if (x + w > surface_width(surface)) {
+        fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
+                name, surface_width(surface), x, w);
+        return false;
+    }
+
+    if (y < 0) {
+        fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
+        return false;
+    }
+    if (y > SVGA_MAX_HEIGHT) {
+        fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
+        return false;
+    }
+    if (h < 0) {
+        fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
+        return false;
+    }
+    if (h > SVGA_MAX_HEIGHT) {
+        fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
+        return false;
+    }
+    if (y + h > surface_height(surface)) {
+        fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
+                name, surface_height(surface), y, h);
+        return false;
+    }
+
+    return true;
+}
+
 static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
-                int x, int y, int w, int h)
+                                      int x, int y, int w, int h)
 {
     DisplaySurface *surface = qemu_console_surface(s->vga.con);
     int line;
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH v2 2/5] vmware-vga: add vmsvga_verify_rect

[Don Koch]

On Wed, 15 Oct 2014 12:10:36 +0200
Gerd Hoffmann <kraxel@redhat.com> wrote:

> Add verification function for rectangles, returning
> true if verification passes and false otherwise.
> 
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: Don Koch <dkoch@verizon.com>
> ---
>  hw/display/vmware_vga.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 52 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
> index ec63290..ba73a1c 100644
> --- a/hw/display/vmware_vga.c
> +++ b/hw/display/vmware_vga.c
> @@ -294,8 +294,59 @@ enum {
>      SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
>  };
>  
> +static inline bool vmsvga_verify_rect(DisplaySurface *surface,
> +                                      const char *name,
> +                                      int x, int y, int w, int h)
> +{
> +    if (x < 0) {
> +        fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
> +        return false;
> +    }
> +    if (x > SVGA_MAX_WIDTH) {
> +        fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
> +        return false;
> +    }
> +    if (w < 0) {
> +        fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
> +        return false;
> +    }
> +    if (w > SVGA_MAX_WIDTH) {
> +        fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
> +        return false;
> +    }
> +    if (x + w > surface_width(surface)) {
> +        fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
> +                name, surface_width(surface), x, w);
> +        return false;
> +    }
> +
> +    if (y < 0) {
> +        fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
> +        return false;
> +    }
> +    if (y > SVGA_MAX_HEIGHT) {
> +        fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
> +        return false;
> +    }
> +    if (h < 0) {
> +        fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
> +        return false;
> +    }
> +    if (h > SVGA_MAX_HEIGHT) {
> +        fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
> +        return false;
> +    }
> +    if (y + h > surface_height(surface)) {
> +        fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
> +                name, surface_height(surface), y, h);
> +        return false;
> +    }
> +
> +    return true;
> +}
> +
>  static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
> -                int x, int y, int w, int h)
> +                                      int x, int y, int w, int h)
>  {
>      DisplaySurface *surface = qemu_console_surface(s->vga.con);
>      int line;
> -- 
> 1.8.3.1
> 
> 

[Qemu-devel] [PATCH v2 3/5] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect

[Gerd Hoffmann]

Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
in behavior:  We don't try to automatically fixup rectangles any more.
In case we find invalid update requests we'll do a full-screen update
instead.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vmware_vga.c | 32 ++++----------------------------
 1 file changed, 4 insertions(+), 28 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index ba73a1c..9d79de6 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -356,36 +356,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
     uint8_t *src;
     uint8_t *dst;
 
-    if (x < 0) {
-        fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
-        w += x;
+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+        /* go for a fullscreen update as fallback */
         x = 0;
-    }
-    if (w < 0) {
-        fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
-        w = 0;
-    }
-    if (x + w > surface_width(surface)) {
-        fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
-                __func__, x, w);
-        x = MIN(x, surface_width(surface));
-        w = surface_width(surface) - x;
-    }
-
-    if (y < 0) {
-        fprintf(stderr, "%s: update y was < 0 (%d)\n",  __func__, y);
-        h += y;
         y = 0;
-    }
-    if (h < 0) {
-        fprintf(stderr, "%s: update h was < 0 (%d)\n",  __func__, h);
-        h = 0;
-    }
-    if (y + h > surface_height(surface)) {
-        fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
-                __func__, y, h);
-        y = MIN(y, surface_height(surface));
-        h = surface_height(surface) - y;
+        w = surface_width(surface);
+        h = surface_height(surface);
     }
 
     bypl = surface_stride(surface);
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH v2 3/5] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect

[Don Koch]

On Wed, 15 Oct 2014 12:10:37 +0200
Gerd Hoffmann <kraxel@redhat.com> wrote:

> Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
> in behavior:  We don't try to automatically fixup rectangles any more.
> In case we find invalid update requests we'll do a full-screen update
> instead.

This is good since the original calculations were wrong. (I had already fixed
said calculations but hadn't cleaned them up for submittal, yet.) Unfortunate
that you end up using "the big hammer" to fix it (i.e., update the entire screen),
but that's better than before.

Reviewed-by: Don Koch <dkoch@verizon.com>

> Cc: qemu-stable@nongnu.org
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/display/vmware_vga.c | 32 ++++----------------------------
>  1 file changed, 4 insertions(+), 28 deletions(-)
> 
> diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
> index ba73a1c..9d79de6 100644
> --- a/hw/display/vmware_vga.c
> +++ b/hw/display/vmware_vga.c
> @@ -356,36 +356,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
>      uint8_t *src;
>      uint8_t *dst;
>  
> -    if (x < 0) {
> -        fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
> -        w += x;
> +    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
> +        /* go for a fullscreen update as fallback */
>          x = 0;
> -    }
> -    if (w < 0) {
> -        fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
> -        w = 0;
> -    }
> -    if (x + w > surface_width(surface)) {
> -        fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
> -                __func__, x, w);
> -        x = MIN(x, surface_width(surface));
> -        w = surface_width(surface) - x;
> -    }
> -
> -    if (y < 0) {
> -        fprintf(stderr, "%s: update y was < 0 (%d)\n",  __func__, y);
> -        h += y;
>          y = 0;
> -    }
> -    if (h < 0) {
> -        fprintf(stderr, "%s: update h was < 0 (%d)\n",  __func__, h);
> -        h = 0;
> -    }
> -    if (y + h > surface_height(surface)) {
> -        fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
> -                __func__, y, h);
> -        y = MIN(y, surface_height(surface));
> -        h = surface_height(surface) - y;
> +        w = surface_width(surface);
> +        h = surface_height(surface);
>      }
>  
>      bypl = surface_stride(surface);
> -- 
> 1.8.3.1
> 
> 

[Qemu-devel] [PATCH v2 4/5] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect

[Gerd Hoffmann]

Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vmware_vga.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 9d79de6..1fc9641 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -29,8 +29,8 @@
 #include "hw/pci/pci.h"
 
 #undef VERBOSE
-#if 0
 #define HW_RECT_ACCEL
+#if 0
 #define HW_FILL_ACCEL
 #endif
 #define HW_MOUSE_ACCEL
@@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
     int line = h;
     uint8_t *ptr[2];
 
+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
+        return;
+    }
+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
+        return;
+    }
+
     if (y1 > y0) {
         ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
         ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH v2 4/5] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect

[Don Koch]

On Wed, 15 Oct 2014 12:10:38 +0200
Gerd Hoffmann <kraxel@redhat.com> wrote:

> Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.
> 
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/display/vmware_vga.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
> index 9d79de6..1fc9641 100644
> --- a/hw/display/vmware_vga.c
> +++ b/hw/display/vmware_vga.c
> @@ -29,8 +29,8 @@
>  #include "hw/pci/pci.h"
>  
>  #undef VERBOSE
> -#if 0
>  #define HW_RECT_ACCEL
> +#if 0
>  #define HW_FILL_ACCEL
>  #endif
>  #define HW_MOUSE_ACCEL
> @@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
>      int line = h;
>      uint8_t *ptr[2];
>  
> +    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
> +        return;
> +    }
> +    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
> +        return;
> +    }
> +

If I read this correctly, if either the source or destination are even partially
off-screen, the copy silently fails, which sounds wrong.

I'd suggest having this function return false if one of these checks fail so the
caller can do something appropriate (like "goto badcmd").

-d

>      if (y1 > y0) {
>          ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
>          ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
> -- 
> 1.8.3.1
> 
> 

[Qemu-devel] [PATCH v2 5/5] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect

[Gerd Hoffmann]

Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vmware_vga.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 1fc9641..7f3a9e6 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -30,9 +30,7 @@
 
 #undef VERBOSE
 #define HW_RECT_ACCEL
-#if 0
 #define HW_FILL_ACCEL
-#endif
 #define HW_MOUSE_ACCEL
 
 #include "vga_int.h"
@@ -456,6 +454,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
     uint8_t *src;
     uint8_t col[4];
 
+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+        return;
+    }
+
     col[0] = c;
     col[1] = c >> 8;
     col[2] = c >> 16;
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH v2 5/5] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect

[Don Koch]

On Wed, 15 Oct 2014 12:10:39 +0200
Gerd Hoffmann <kraxel@redhat.com> wrote:

> Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.
> 
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/display/vmware_vga.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
> index 1fc9641..7f3a9e6 100644
> --- a/hw/display/vmware_vga.c
> +++ b/hw/display/vmware_vga.c
> @@ -30,9 +30,7 @@
>  
>  #undef VERBOSE
>  #define HW_RECT_ACCEL
> -#if 0
>  #define HW_FILL_ACCEL
> -#endif
>  #define HW_MOUSE_ACCEL
>  
>  #include "vga_int.h"
> @@ -456,6 +454,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
>      uint8_t *src;
>      uint8_t col[4];
>  
> +    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
> +        return;
> +    }
> +

Same issue as with vmsvga_copy_rect().

-d

Re: [Qemu-devel] [PATCH v2 0/5] vmware-vga: fix CVE-2014-3689

[Michael Tokarev]

On 15.10.2014 12:10, Gerd Hoffmann wrote:
>    Hi,
>
> vmware-vga emulation lacks sanity checks in the hardware acceleration
> (blit + fill) functions.  This patch series plugs the holes.
>
> v2 changes:
>   * small whitespace fixup.
>   * do fullscreen update on invalid update requests.
>
> cheers,
>    Gerd
>
> Gerd Hoffmann (5):
>    vmware-vga: CVE-2014-3689: turn off hw accel
>    vmware-vga: add vmsvga_verify_rect
>    vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
>    vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
>    vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect

A small question.  Why do you first disable the hw accel for rect&fill
and re-enable them in subsequent patches, as if applying the real
fix patches takes very long time and during that time we need the
hole to be fixed?  Why not just to fix it for real without the temp
workarounds? :)

Thanks,

/mjt

Re: [Qemu-devel] [PATCH v2 0/5] vmware-vga: fix CVE-2014-3689

[Gerd Hoffmann]

On Mi, 2014-10-15 at 17:43 +0200, Michael Tokarev wrote:
> On 15.10.2014 12:10, Gerd Hoffmann wrote:
> >    Hi,
> >
> > vmware-vga emulation lacks sanity checks in the hardware acceleration
> > (blit + fill) functions.  This patch series plugs the holes.
> >
> > v2 changes:
> >   * small whitespace fixup.
> >   * do fullscreen update on invalid update requests.
> >
> > cheers,
> >    Gerd
> >
> > Gerd Hoffmann (5):
> >    vmware-vga: CVE-2014-3689: turn off hw accel
> >    vmware-vga: add vmsvga_verify_rect
> >    vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
> >    vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
> >    vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
> 
> A small question.  Why do you first disable the hw accel for rect&fill
> and re-enable them in subsequent patches, as if applying the real
> fix patches takes very long time and during that time we need the
> hole to be fixed?

That was just the order the patches where created.  There isn't a real
need for patch #1, but it didn't look important enough to me to bother
fixing it up after the series was complete.

cheers,
  Gerd

[Qemu-devel] [PATCH] sparse: fix build

[Gerd Hoffmann]

c++ compiler isn't wrapped with cgcc, resulting in gcc complaining about
the sparse compiler flags which it doesn't know in case qemu is built
with --enable-sparse.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 configure | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure b/configure
index 9ac2600..90349f3 100755
--- a/configure
+++ b/configure
@@ -4908,6 +4908,7 @@ echo "QEMU_CFLAGS=$QEMU_CFLAGS" >> $config_host_mak
 echo "QEMU_INCLUDES=$QEMU_INCLUDES" >> $config_host_mak
 if test "$sparse" = "yes" ; then
   echo "CC           := REAL_CC=\"\$(CC)\" cgcc"       >> $config_host_mak
+  echo "CXX          := REAL_CC=\"\$(CXX)\" cgcc"      >> $config_host_mak
   echo "HOST_CC      := REAL_CC=\"\$(HOST_CC)\" cgcc"  >> $config_host_mak
   echo "QEMU_CFLAGS  += -Wbitwise -Wno-transparent-union -Wno-old-initializer -Wno-non-pointer-null" >> $config_host_mak
 fi
-- 
1.8.3.1