Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: qemu-devel@nongnu.org
Cc: Mauro Matteo Cascella <mcascell@redhat.com>,
	Qiang Liu <qiangliu@zju.edu.cn>,
	Prasad J Pandit <pjp@fedoraproject.org>,
	Gerd Hoffmann <kraxel@redhat.com>, Gaoning Pan <pgn@zju.edu.cn>,
	Ziming Zhang <ezrakiez@gmail.com>,
	Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)
Date: Tue, 7 Sep 2021 08:19:33 +0200	[thread overview]
Message-ID: <14239d0f-e720-0225-c6be-1befeb2098a6@redhat.com> (raw)
In-Reply-To: <20210906153103.1661195-1-philmd@redhat.com>

On 9/6/21 5:31 PM, Philippe Mathieu-Daudé wrote:
> When building QEMU with DEBUG_ATI defined then running with
> '-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
> we get:
> 
>   ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
>   ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
>   ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
>   ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
>   ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
>   ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
>   ati_mm_write 4 0x1420 DST_Y <- 0x3fff
>   ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
>   ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
>   ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
>   ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
>   ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
>   Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
>   (gdb) bt
>   #0  0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
>   #1  0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
>   #2  0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
>   #3  0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
>   #4  0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492
> 
> Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
> the local dst_x and dst_y which adjust the (x, y) coordinates
> depending on the direction in the SRCCOPY ROP3 operation, but
> forgot to address the same issue for the PATCOPY, BLACKNESS and
> WHITENESS operations, which also call pixman_fill().
> 
> Fix that now by using the adjusted coordinates in the pixman_fill
> call, and update the related debug printf().
> 

Forgot here:

Cc: qemu-stable@nongnu.org

> Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
> Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
>  hw/display/ati_2d.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

next prev parent reply	other threads:[~2021-09-07  6:21 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-06 15:31 [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) Philippe Mathieu-Daudé
2021-09-06 16:44 ` Mauro Matteo Cascella
2021-09-06 18:19   ` Philippe Mathieu-Daudé
2021-09-06 19:19     ` Alexander Bulekov
2021-09-07  5:42       ` Philippe Mathieu-Daudé
2021-09-06 19:52     ` BALATON Zoltan
2021-09-07  5:38       ` Philippe Mathieu-Daudé
2021-09-07  6:22         ` Philippe Mathieu-Daudé
2021-09-09  9:16           ` Mauro Matteo Cascella
2021-09-09  9:32             ` Philippe Mathieu-Daudé
2021-09-07  6:19 ` Philippe Mathieu-Daudé [this message]
2022-08-30 10:32   ` Qiang Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=14239d0f-e720-0225-c6be-1befeb2098a6@redhat.com \
    --to=philmd@redhat.com \
    --cc=carnil@debian.org \
    --cc=ezrakiez@gmail.com \
    --cc=kraxel@redhat.com \
    --cc=mcascell@redhat.com \
    --cc=pgn@zju.edu.cn \
    --cc=pjp@fedoraproject.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qiangliu@zju.edu.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).