* [Qemu-devel] [Bug 575887] Re: VNC heap corruption at 1400x1050 (with % 16 != 0)
[not found] <20100505164440.21255.94144.malonedeb@wampee.canonical.com>
@ 2010-05-19 19:28 ` Anthony Liguori
2010-06-04 3:52 ` sciencewhiz
1 sibling, 0 replies; 2+ messages in thread
From: Anthony Liguori @ 2010-05-19 19:28 UTC (permalink / raw)
To: qemu-devel
Marking this invalid against qemu as it doesn't support that non-
standard VESA resolution.
** Changed in: qemu
Status: New => Confirmed
** Changed in: qemu
Importance: Undecided => High
** Changed in: qemu
Status: Confirmed => Invalid
--
VNC heap corruption at 1400x1050 (with % 16 != 0)
https://bugs.launchpad.net/bugs/575887
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
Status in QEMU: Invalid
Bug description:
vnc_refresh_server_surface assumes that the display width
is a multiple of 16. If it's not, then it accesses beyond the end of the row
by a few bytes. On all but the last row, this is mostly harmless (it can
result in unnecessarily marking the end of the row dirty), but on the last row,
it copies over heap metadata. This triggers a crash when changing resolutions or disconnecting and reconnecting a client.
I can trigger this reliably with a Windows 7 guest at 1400x1050 with -vga std.
The attached patch (rather ugly, with debugging code for good measure) partially fixes the issue. There's still a black stripe on the right side of the screen, presumably because there are other bugs in vnc.c (or I messed up the patch).
I'm marking this as a security vulnerability because it allows the guest to overwrite host memory.
The same issue is tracked in Red Hat's bugzilla here:
https://bugzilla.redhat.com/show_bug.cgi?id=583850
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Qemu-devel] [Bug 575887] Re: VNC heap corruption at 1400x1050 (with % 16 != 0)
[not found] <20100505164440.21255.94144.malonedeb@wampee.canonical.com>
2010-05-19 19:28 ` [Qemu-devel] [Bug 575887] Re: VNC heap corruption at 1400x1050 (with % 16 != 0) Anthony Liguori
@ 2010-06-04 3:52 ` sciencewhiz
1 sibling, 0 replies; 2+ messages in thread
From: sciencewhiz @ 2010-06-04 3:52 UTC (permalink / raw)
To: qemu-devel
Where can I find a list of supported QEMU resolutions?
--
VNC heap corruption at 1400x1050 (with % 16 != 0)
https://bugs.launchpad.net/bugs/575887
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
Status in QEMU: Invalid
Bug description:
vnc_refresh_server_surface assumes that the display width
is a multiple of 16. If it's not, then it accesses beyond the end of the row
by a few bytes. On all but the last row, this is mostly harmless (it can
result in unnecessarily marking the end of the row dirty), but on the last row,
it copies over heap metadata. This triggers a crash when changing resolutions or disconnecting and reconnecting a client.
I can trigger this reliably with a Windows 7 guest at 1400x1050 with -vga std.
The attached patch (rather ugly, with debugging code for good measure) partially fixes the issue. There's still a black stripe on the right side of the screen, presumably because there are other bugs in vnc.c (or I messed up the patch).
I'm marking this as a security vulnerability because it allows the guest to overwrite host memory.
The same issue is tracked in Red Hat's bugzilla here:
https://bugzilla.redhat.com/show_bug.cgi?id=583850
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-06-04 4:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20100505164440.21255.94144.malonedeb@wampee.canonical.com>
2010-05-19 19:28 ` [Qemu-devel] [Bug 575887] Re: VNC heap corruption at 1400x1050 (with % 16 != 0) Anthony Liguori
2010-06-04 3:52 ` sciencewhiz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).