[Qemu-devel] [Bug 575887] Re: VNC heap corruption at 1400x1050 (with % 16 != 0)

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: sciencewhiz <christmasboy_81@rossesmail.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [Bug 575887] Re: VNC heap corruption at 1400x1050 (with % 16 != 0)
Date: Fri, 04 Jun 2010 03:52:07 -0000	[thread overview]
Message-ID: <20100604035208.15535.77467.malone@gandwana.canonical.com> (raw)
In-Reply-To: 20100505164440.21255.94144.malonedeb@wampee.canonical.com

Where can I find a list of supported QEMU resolutions?

-- 
VNC heap corruption at 1400x1050 (with % 16 != 0)
https://bugs.launchpad.net/bugs/575887
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

Status in QEMU: Invalid

Bug description:
vnc_refresh_server_surface assumes that the display width
is a multiple of 16.  If it's not, then it accesses beyond the end of the row
by a few bytes.  On all but the last row, this is mostly harmless (it can
result in unnecessarily marking the end of the row dirty), but on the last row,
it copies over heap metadata.  This triggers a crash when changing resolutions or disconnecting and reconnecting a client.

I can trigger this reliably with a Windows 7 guest at 1400x1050 with -vga std.

The attached patch (rather ugly, with debugging code for good measure) partially fixes the issue.  There's still a black stripe on the right side of the screen, presumably because there are other bugs in vnc.c (or I messed up the patch).

I'm marking this as a security vulnerability because it allows the guest to overwrite host memory.

The same issue is tracked in Red Hat's bugzilla here:
https://bugzilla.redhat.com/show_bug.cgi?id=583850

     prev parent reply	other threads:[~2010-06-04  4:00 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20100505164440.21255.94144.malonedeb@wampee.canonical.com>
2010-05-19 19:28 ` [Qemu-devel] [Bug 575887] Re: VNC heap corruption at 1400x1050 (with % 16 != 0) Anthony Liguori
2010-06-04  3:52 ` sciencewhiz [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100604035208.15535.77467.malone@gandwana.canonical.com \
    --to=christmasboy_81@rossesmail.com \
    --cc=575887@bugs.launchpad.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).