* [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106)
@ 2014-12-04 12:13 Gerd Hoffmann
2014-12-04 12:13 ` [Qemu-devel] [PULL 1/2] cirrus: fix blit region check Gerd Hoffmann
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2014-12-04 12:13 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
Hi,
Last minute pull req for 2.2, carrying a security
fix for cirrus bitblit ops.
please pull,
Gerd
The following changes since commit db12451decf7dfe0f083564183e135f2095228b9:
Fix for crash after migration in virtio-rng on bi-endian targets (2014-11-28 13:06:00 +0000)
are available in the git repository at:
git://git.kraxel.org/qemu tags/pull-cve-2014-8106-20141204-1
for you to fetch changes up to bf25983345ca44aec3dd92c57142be45452bd38a:
cirrus: don't overflow CirrusVGAState->cirrus_bltbuf (2014-12-01 10:25:46 +0100)
----------------------------------------------------------------
cirrus: fix blit region check
----------------------------------------------------------------
Gerd Hoffmann (2):
cirrus: fix blit region check
cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
hw/display/cirrus_vga.c | 65 ++++++++++++++++++++++++++++++++++++-------------
1 file changed, 48 insertions(+), 17 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Qemu-devel] [PULL 1/2] cirrus: fix blit region check
2014-12-04 12:13 [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106) Gerd Hoffmann
@ 2014-12-04 12:13 ` Gerd Hoffmann
2014-12-04 12:13 ` [Qemu-devel] [PULL 2/2] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf Gerd Hoffmann
2014-12-04 13:15 ` [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106) Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2014-12-04 12:13 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
Issues:
* Doesn't check pitches correctly in case it is negative.
* Doesn't check width at all.
Turn macro into functions while being at it, also factor out the check
for one region which we then can simply call twice for src + dst.
This is CVE-2014-8106.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/display/cirrus_vga.c | 61 +++++++++++++++++++++++++++++++++++--------------
1 file changed, 44 insertions(+), 17 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 8a5b76c..d54fb06 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -173,20 +173,6 @@
#define CIRRUS_PNPMMIO_SIZE 0x1000
-#define BLTUNSAFE(s) \
- ( \
- ( /* check dst is within bounds */ \
- (s)->cirrus_blt_height * ABS((s)->cirrus_blt_dstpitch) \
- + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
- (s)->vga.vram_size \
- ) || \
- ( /* check src is within bounds */ \
- (s)->cirrus_blt_height * ABS((s)->cirrus_blt_srcpitch) \
- + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
- (s)->vga.vram_size \
- ) \
- )
-
struct CirrusVGAState;
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
uint8_t * dst, const uint8_t * src,
@@ -279,6 +265,46 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
*
***************************************/
+static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ int32_t pitch, int32_t addr)
+{
+ if (pitch < 0) {
+ int64_t min = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch;
+ int32_t max = addr
+ + s->cirrus_blt_width;
+ if (min < 0 || max >= s->vga.vram_size) {
+ return true;
+ }
+ } else {
+ int64_t max = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch
+ + s->cirrus_blt_width;
+ if (max >= s->vga.vram_size) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static bool blit_is_unsafe(struct CirrusVGAState *s)
+{
+ /* should be the case, see cirrus_bitblt_start */
+ assert(s->cirrus_blt_width > 0);
+ assert(s->cirrus_blt_height > 0);
+
+ if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
+ s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
+
+ return false;
+}
+
static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
uint8_t *dst,const uint8_t *src,
int dstpitch,int srcpitch,
@@ -636,7 +662,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s))
return 0;
(*s->cirrus_rop) (s, dst, src,
@@ -654,8 +680,9 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
{
cirrus_fill_t rop_func;
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s)) {
return 0;
+ }
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch,
@@ -752,7 +779,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
{
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s))
return 0;
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Qemu-devel] [PULL 2/2] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
2014-12-04 12:13 [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106) Gerd Hoffmann
2014-12-04 12:13 ` [Qemu-devel] [PULL 1/2] cirrus: fix blit region check Gerd Hoffmann
@ 2014-12-04 12:13 ` Gerd Hoffmann
2014-12-04 13:15 ` [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106) Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2014-12-04 12:13 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
This is CVE-2014-8106.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/cirrus_vga.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index d54fb06..2725264 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -293,6 +293,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
assert(s->cirrus_blt_width > 0);
assert(s->cirrus_blt_height > 0);
+ if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+ return true;
+ }
+
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
return true;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106)
2014-12-04 12:13 [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106) Gerd Hoffmann
2014-12-04 12:13 ` [Qemu-devel] [PULL 1/2] cirrus: fix blit region check Gerd Hoffmann
2014-12-04 12:13 ` [Qemu-devel] [PULL 2/2] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf Gerd Hoffmann
@ 2014-12-04 13:15 ` Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2014-12-04 13:15 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: QEMU Developers
On 4 December 2014 at 12:13, Gerd Hoffmann <kraxel@redhat.com> wrote:
> Hi,
>
> Last minute pull req for 2.2, carrying a security
> fix for cirrus bitblit ops.
Applied, thanks. We'll need to do an rc5 now; is there
anything else in the pipeline?
thanks
-- PMM
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-12-04 13:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-04 12:13 [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106) Gerd Hoffmann
2014-12-04 12:13 ` [Qemu-devel] [PULL 1/2] cirrus: fix blit region check Gerd Hoffmann
2014-12-04 12:13 ` [Qemu-devel] [PULL 2/2] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf Gerd Hoffmann
2014-12-04 13:15 ` [Qemu-devel] [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106) Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).