From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Mauro Matteo Cascella <mcascell@redhat.com>,
Alexander Bulekov <alxndr@redhat.com>
Cc: Qiang Liu <qiangliu@zju.edu.cn>,
Prasad J Pandit <pjp@fedoraproject.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Gerd Hoffmann <kraxel@redhat.com>, Gaoning Pan <pgn@zju.edu.cn>,
Ziming Zhang <ezrakiez@gmail.com>,
Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)
Date: Mon, 6 Sep 2021 20:19:34 +0200 [thread overview]
Message-ID: <3ef43b0d-4b89-85a4-f2bf-b7f8a256d1db@redhat.com> (raw)
In-Reply-To: <CAA8xKjXkDwPYxSAeRb+2mfHRrbiL_kh9unVkemFXLfF68UXePA@mail.gmail.com>
(Forgot to Cc Alex for eventual reproducer)
On 9/6/21 6:44 PM, Mauro Matteo Cascella wrote:
> On Mon, Sep 6, 2021 at 5:31 PM Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>>
>> When building QEMU with DEBUG_ATI defined then running with
>> '-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
>> we get:
>>
>> ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
>> ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
>> ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
>> ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
>> ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
>> ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
>> ati_mm_write 4 0x1420 DST_Y <- 0x3fff
>> ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
>> ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
>> ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
>> ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
>> ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
>> Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
>> (gdb) bt
>> #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
>> #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
>> #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
>> #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
>> #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492
>>
>> Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
>> the local dst_x and dst_y which adjust the (x, y) coordinates
>> depending on the direction in the SRCCOPY ROP3 operation, but
>> forgot to address the same issue for the PATCOPY, BLACKNESS and
>> WHITENESS operations, which also call pixman_fill().
>>
>> Fix that now by using the adjusted coordinates in the pixman_fill
>> call, and update the related debug printf().
>>
>> Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
>> Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>> ---
>> hw/display/ati_2d.c | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
>> index 4dc10ea7952..692bec91de4 100644
>> --- a/hw/display/ati_2d.c
>> +++ b/hw/display/ati_2d.c
>> @@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
>> DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
>> s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
>> s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
>> - s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
>> + s->regs.src_x, s->regs.src_y, dst_x, dst_y,
>> s->regs.dst_width, s->regs.dst_height,
>> (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
>> (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
>> @@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
>> dst_stride /= sizeof(uint32_t);
>> DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
>> dst_bits, dst_stride, bpp,
>> - s->regs.dst_x, s->regs.dst_y,
>> + dst_x, dst_y,
>> s->regs.dst_width, s->regs.dst_height,
>> filler);
>> pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
>> - s->regs.dst_x, s->regs.dst_y,
>> + dst_x, dst_y,
>> s->regs.dst_width, s->regs.dst_height,
>> filler);
>> if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
>> --
>> 2.31.1
>>
>
> Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
Thanks. I wouldn't be surprise if we get another CVE in this code /
file / function ASAP this patch get merged... The code calls for a
rewrite, as per this function comment in its header:
void ati_2d_blt(ATIVGAState *s)
{
/* FIXME it is probably more complex than this and may need to be */
/* rewritten but for now as a start just to get some output: */
Regards,
Phil.
next prev parent reply other threads:[~2021-09-06 18:21 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-06 15:31 [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) Philippe Mathieu-Daudé
2021-09-06 16:44 ` Mauro Matteo Cascella
2021-09-06 18:19 ` Philippe Mathieu-Daudé [this message]
2021-09-06 19:19 ` Alexander Bulekov
2021-09-07 5:42 ` Philippe Mathieu-Daudé
2021-09-06 19:52 ` BALATON Zoltan
2021-09-07 5:38 ` Philippe Mathieu-Daudé
2021-09-07 6:22 ` Philippe Mathieu-Daudé
2021-09-09 9:16 ` Mauro Matteo Cascella
2021-09-09 9:32 ` Philippe Mathieu-Daudé
2021-09-07 6:19 ` Philippe Mathieu-Daudé
2022-08-30 10:32 ` Qiang Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3ef43b0d-4b89-85a4-f2bf-b7f8a256d1db@redhat.com \
--to=philmd@redhat.com \
--cc=alxndr@redhat.com \
--cc=carnil@debian.org \
--cc=ezrakiez@gmail.com \
--cc=kraxel@redhat.com \
--cc=mcascell@redhat.com \
--cc=pgn@zju.edu.cn \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
--cc=qiangliu@zju.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).