From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NUMiA-0004d8-RM
	for qemu-devel@nongnu.org; Mon, 11 Jan 2010 11:01:46 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NUMi6-0004Yf-2X
	for qemu-devel@nongnu.org; Mon, 11 Jan 2010 11:01:46 -0500
Received: from [199.232.76.173] (port=56666 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NUMi5-0004YD-Sh
	for qemu-devel@nongnu.org; Mon, 11 Jan 2010 11:01:41 -0500
Received: from mail-yx0-f188.google.com ([209.85.210.188]:56810)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1NUMi5-0002oc-2Q
	for qemu-devel@nongnu.org; Mon, 11 Jan 2010 11:01:41 -0500
Received: by mail-yx0-f188.google.com with SMTP id 26so20730971yxe.4
	for <qemu-devel@nongnu.org>; Mon, 11 Jan 2010 08:01:40 -0800 (PST)
Message-ID: <4B4B4B61.90303@codemonkey.ws>
Date: Mon, 11 Jan 2010 10:01:37 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH resend] vmware_vga: Check cursor dimensions
	passed from guest to avoid buffer overflow
References: <adatyvp44ov.fsf@roland-alpha.cisco.com>	<4B2AB1F2.3060507@codemonkey.ws>
	<adamy0rvo5l.fsf_-_@roland-alpha.cisco.com>
In-Reply-To: <adamy0rvo5l.fsf_-_@roland-alpha.cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Roland Dreier <rdreier@cisco.com>
Cc: qemu-devel@nongnu.org

On 01/05/2010 10:43 PM, Roland Dreier wrote:
> Check that the cursor dimensions passed from the guest for the
> DEFINE_CURSOR command don't overflow the available space in the
> cursor.image[] or cursor.mask[] arrays before copying data from the
> guest into those arrays.
>
> Signed-off-by: Roland Dreier<rolandd@cisco.com>
>    

Applied.  Thanks.

Regards,

Anthony Liguori
> ---
> Hi Anthony,
>
> as far as I can tell this seems to have slipped through the cracks.  I
> think this is fairly important: it is a guest-triggerable stack smashing
> attack in the worst case.
>
> Thanks,
>    Roland
>
>   hw/vmware_vga.c |    7 +++++++
>   1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
> index 7ab1c79..5e969ae 100644
> --- a/hw/vmware_vga.c
> +++ b/hw/vmware_vga.c
> @@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
>               cursor.height = y = vmsvga_fifo_read(s);
>               vmsvga_fifo_read(s);
>               cursor.bpp = vmsvga_fifo_read(s);
> +
> +	    if (SVGA_BITMAP_SIZE(x, y)>  sizeof cursor.mask ||
> +		SVGA_PIXMAP_SIZE(x, y, cursor.bpp)>  sizeof cursor.image) {
> +		    args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
> +		    goto badcmd;
> +	    }
> +
>               for (args = 0; args<  SVGA_BITMAP_SIZE(x, y); args ++)
>                   cursor.mask[args] = vmsvga_fifo_read_raw(s);
>               for (args = 0; args<  SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)
>
>
>
>