qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Qemu-devel] [PULL 0/2] vnc patch queue
@ 2014-10-28 10:59 Gerd Hoffmann
  2014-10-28 10:59 ` [Qemu-devel] [PULL 1/2] vnc: sanitize bits_per_pixel from the client Gerd Hoffmann
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2014-10-28 10:59 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

  Hi,

Here comes the vnc patch queue with two fixes.

please pull,
  Gerd

The following changes since commit 3e9418e160cd8901c83a3c88967158084f5b5c03:

  Revert "main-loop.c: Handle SIGINT, SIGHUP and SIGTERM synchronously" (2014-10-27 15:05:09 +0000)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/pull-vnc-20141028-1

for you to fetch changes up to 9d6b20704734fe1ab789400806ebd54f579d50a2:

  vnc: return directly if no vnc client connected (2014-10-28 11:51:04 +0100)

----------------------------------------------------------------
vnc: return directly if no vnc client connected
vnc: sanitize bits_per_pixel from the client (CVE-2014-7815)

----------------------------------------------------------------
ChenLiang (1):
      vnc: return directly if no vnc client connected

Petr Matousek (1):
      vnc: sanitize bits_per_pixel from the client

 ui/vnc.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Qemu-devel] [PULL 1/2] vnc: sanitize bits_per_pixel from the client
  2014-10-28 10:59 [Qemu-devel] [PULL 0/2] vnc patch queue Gerd Hoffmann
@ 2014-10-28 10:59 ` Gerd Hoffmann
  2014-10-28 10:59 ` [Qemu-devel] [PULL 2/2] vnc: return directly if no vnc client connected Gerd Hoffmann
  2014-10-30 19:11 ` [Qemu-devel] [PULL 0/2] vnc patch queue Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2014-10-28 10:59 UTC (permalink / raw)
  To: qemu-devel; +Cc: Petr Matousek, Gerd Hoffmann, Anthony Liguori

From: Petr Matousek <pmatouse@redhat.com>

bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.

To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.

This is CVE-2014-7815.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>

[ kraxel: apply codestyle fix ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/vnc.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index 0fe6eff..8bca597 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
         return;
     }
 
+    switch (bits_per_pixel) {
+    case 8:
+    case 16:
+    case 32:
+        break;
+    default:
+        vnc_client_error(vs);
+        return;
+    }
+
     vs->client_pf.rmax = red_max;
     vs->client_pf.rbits = hweight_long(red_max);
     vs->client_pf.rshift = red_shift;
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [Qemu-devel] [PULL 2/2] vnc: return directly if no vnc client connected
  2014-10-28 10:59 [Qemu-devel] [PULL 0/2] vnc patch queue Gerd Hoffmann
  2014-10-28 10:59 ` [Qemu-devel] [PULL 1/2] vnc: sanitize bits_per_pixel from the client Gerd Hoffmann
@ 2014-10-28 10:59 ` Gerd Hoffmann
  2014-10-30 19:11 ` [Qemu-devel] [PULL 0/2] vnc patch queue Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2014-10-28 10:59 UTC (permalink / raw)
  To: qemu-devel; +Cc: ChenLiang, Gonglei, Gerd Hoffmann, Anthony Liguori

From: ChenLiang <chenliang88@huawei.com>

graphic_hw_update and vnc_refresh_server_surface aren't
need to do when no vnc client connected. It can reduce
lock contention, because vnc_refresh will hold global big
lock two millisecond every three seconds.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/vnc.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index 8bca597..5707015 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2778,6 +2778,11 @@ static void vnc_refresh(DisplayChangeListener *dcl)
     VncState *vs, *vn;
     int has_dirty, rects = 0;
 
+    if (QTAILQ_EMPTY(&vd->clients)) {
+        update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
+        return;
+    }
+
     graphic_hw_update(NULL);
 
     if (vnc_trylock_display(vd)) {
@@ -2793,11 +2798,6 @@ static void vnc_refresh(DisplayChangeListener *dcl)
         /* vs might be free()ed here */
     }
 
-    if (QTAILQ_EMPTY(&vd->clients)) {
-        update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
-        return;
-    }
-
     if (has_dirty && rects) {
         vd->dcl.update_interval /= 2;
         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PULL 0/2] vnc patch queue
  2014-10-28 10:59 [Qemu-devel] [PULL 0/2] vnc patch queue Gerd Hoffmann
  2014-10-28 10:59 ` [Qemu-devel] [PULL 1/2] vnc: sanitize bits_per_pixel from the client Gerd Hoffmann
  2014-10-28 10:59 ` [Qemu-devel] [PULL 2/2] vnc: return directly if no vnc client connected Gerd Hoffmann
@ 2014-10-30 19:11 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2014-10-30 19:11 UTC (permalink / raw)
  To: Gerd Hoffmann; +Cc: QEMU Developers

On 28 October 2014 10:59, Gerd Hoffmann <kraxel@redhat.com> wrote:
>   Hi,
>
> Here comes the vnc patch queue with two fixes.
>
> please pull,
>   Gerd
>
> The following changes since commit 3e9418e160cd8901c83a3c88967158084f5b5c03:
>
>   Revert "main-loop.c: Handle SIGINT, SIGHUP and SIGTERM synchronously" (2014-10-27 15:05:09 +0000)
>
> are available in the git repository at:
>
>   git://git.kraxel.org/qemu tags/pull-vnc-20141028-1
>
> for you to fetch changes up to 9d6b20704734fe1ab789400806ebd54f579d50a2:
>
>   vnc: return directly if no vnc client connected (2014-10-28 11:51:04 +0100)
>
> ----------------------------------------------------------------
> vnc: return directly if no vnc client connected
> vnc: sanitize bits_per_pixel from the client (CVE-2014-7815)
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-10-31 15:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-28 10:59 [Qemu-devel] [PULL 0/2] vnc patch queue Gerd Hoffmann
2014-10-28 10:59 ` [Qemu-devel] [PULL 1/2] vnc: sanitize bits_per_pixel from the client Gerd Hoffmann
2014-10-28 10:59 ` [Qemu-devel] [PULL 2/2] vnc: return directly if no vnc client connected Gerd Hoffmann
2014-10-30 19:11 ` [Qemu-devel] [PULL 0/2] vnc patch queue Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).