From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=43987 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OKO5R-0007jj-7s
	for qemu-devel@nongnu.org; Fri, 04 Jun 2010 00:00:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <bounces@canonical.com>) id 1OKO5P-00011C-OA
	for qemu-devel@nongnu.org; Fri, 04 Jun 2010 00:00:49 -0400
Received: from adelie.canonical.com ([91.189.90.139]:56660)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <bounces@canonical.com>) id 1OKO5P-000111-KM
	for qemu-devel@nongnu.org; Fri, 04 Jun 2010 00:00:47 -0400
Received: from loganberry.canonical.com ([91.189.90.37])
	by adelie.canonical.com with esmtp (Exim 4.69 #1 (Debian))
	id 1OKO5K-0002VA-CH
	for <qemu-devel@nongnu.org>; Fri, 04 Jun 2010 05:00:43 +0100
Received: from loganberry.canonical.com (localhost [127.0.0.1])
	by loganberry.canonical.com (Postfix) with ESMTP id EDD572E826B
	for <qemu-devel@nongnu.org>; Fri,  4 Jun 2010 05:00:36 +0100 (BST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 04 Jun 2010 03:52:07 -0000
From: sciencewhiz <christmasboy_81@rossesmail.com>
Sender: bounces@canonical.com
References: <20100505164440.21255.94144.malonedeb@wampee.canonical.com>
Message-Id: <20100604035208.15535.77467.malone@gandwana.canonical.com>
Errors-To: bounces@canonical.com
Subject: [Qemu-devel] [Bug 575887] Re: VNC heap corruption at 1400x1050
	(with % 16 != 0)
Reply-To: Bug 575887 <575887@bugs.launchpad.net>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Where can I find a list of supported QEMU resolutions?

-- =

VNC heap corruption at 1400x1050 (with % 16 !=3D 0)
https://bugs.launchpad.net/bugs/575887
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

Status in QEMU: Invalid

Bug description:
vnc_refresh_server_surface assumes that the display width
is a multiple of 16.  If it's not, then it accesses beyond the end of the r=
ow
by a few bytes.  On all but the last row, this is mostly harmless (it can
result in unnecessarily marking the end of the row dirty), but on the last =
row,
it copies over heap metadata.  This triggers a crash when changing resoluti=
ons or disconnecting and reconnecting a client.

I can trigger this reliably with a Windows 7 guest at 1400x1050 with -vga s=
td.

The attached patch (rather ugly, with debugging code for good measure) part=
ially fixes the issue.  There's still a black stripe on the right side of t=
he screen, presumably because there are other bugs in vnc.c (or I messed up=
 the patch).

I'm marking this as a security vulnerability because it allows the guest to=
 overwrite host memory.

The same issue is tracked in Red Hat's bugzilla here:
https://bugzilla.redhat.com/show_bug.cgi?id=3D583850