From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Jt8Ck-0006vW-2G
	for qemu-devel@nongnu.org; Mon, 05 May 2008 17:26:38 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Jt8Ci-0006v6-Fy
	for qemu-devel@nongnu.org; Mon, 05 May 2008 17:26:36 -0400
Received: from [199.232.76.173] (port=54295 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Jt8Ci-0006v3-AV
	for qemu-devel@nongnu.org; Mon, 05 May 2008 17:26:36 -0400
Received: from savannah.gnu.org ([199.232.41.3] helo=sv.gnu.org)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <aurelien@aurel32.net>)
	id 1Jt8Ch-0001Li-V8
	for qemu-devel@nongnu.org; Mon, 05 May 2008 17:26:36 -0400
Received: from cvs.savannah.gnu.org ([199.232.41.69])
	by sv.gnu.org with esmtp (Exim 4.63)
	(envelope-from <aurelien@aurel32.net>) id 1Jt8Cg-0007Q7-0e
	for qemu-devel@nongnu.org; Mon, 05 May 2008 21:26:34 +0000
Received: from aurel32 by cvs.savannah.gnu.org with local (Exim 4.63)
	(envelope-from <aurel32@savannah.gnu.org>) id 1Jt8Ce-0007Q2-W8
	for qemu-devel@nongnu.org; Mon, 05 May 2008 21:26:33 +0000
MIME-Version: 1.0
Errors-To: aurel32
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Aurelien Jarno <aurelien@aurel32.net>
Message-Id: <E1Jt8Ce-0007Q2-W8@cvs.savannah.gnu.org>
Date: Mon, 05 May 2008 21:26:33 +0000
Subject: [Qemu-devel] [4340] CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap
	overflow
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Revision: 4340
          http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=4340
Author:   aurel32
Date:     2008-05-05 21:26:31 +0000 (Mon, 05 May 2008)

Log Message:
-----------
CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow

I have just noticed that patch for CVE-2007-1320 has never been applied
to the QEMU CVS. Please find it below.

| Multiple heap-based buffer overflows in the cirrus_invalidate_region
| function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and
| possibly other products, might allow local users to execute arbitrary
| code via unspecified vectors related to "attempting to mark
| non-existent regions as dirty," aka the "bitblt" heap overflow.

Modified Paths:
--------------
    trunk/hw/cirrus_vga.c
    trunk/hw/cirrus_vga_rop.h

Modified: trunk/hw/cirrus_vga.c
===================================================================
--- trunk/hw/cirrus_vga.c	2008-05-05 17:37:44 UTC (rev 4339)
+++ trunk/hw/cirrus_vga.c	2008-05-05 21:26:31 UTC (rev 4340)
@@ -220,6 +220,20 @@
 #define CIRRUS_HOOK_NOT_HANDLED 0
 #define CIRRUS_HOOK_HANDLED 1
 
+#define BLTUNSAFE(s) \
+    ( \
+        ( /* check dst is within bounds */ \
+            (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
+                + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
+                    (s)->vram_size \
+        ) || \
+        ( /* check src is within bounds */ \
+            (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
+                + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
+                    (s)->vram_size \
+        ) \
+    )
+
 struct CirrusVGAState;
 typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
                                      uint8_t * dst, const uint8_t * src,
@@ -639,7 +653,7 @@
 
     for (y = 0; y < lines; y++) {
 	off_cur = off_begin;
-	off_cur_end = off_cur + bytesperline;
+	off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
 	off_cur &= TARGET_PAGE_MASK;
 	while (off_cur < off_cur_end) {
 	    cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
@@ -654,7 +668,11 @@
 {
     uint8_t *dst;
 
-    dst = s->vram_ptr + s->cirrus_blt_dstaddr;
+    dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+
+    if (BLTUNSAFE(s))
+        return 0;
+
     (*s->cirrus_rop) (s, dst, src,
                       s->cirrus_blt_dstpitch, 0,
                       s->cirrus_blt_width, s->cirrus_blt_height);
@@ -670,8 +688,10 @@
 {
     cirrus_fill_t rop_func;
 
+    if (BLTUNSAFE(s))
+        return 0;
     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-    rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr,
+    rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
              s->cirrus_blt_dstpitch,
              s->cirrus_blt_width, s->cirrus_blt_height);
     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
@@ -690,8 +710,8 @@
 static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
 {
     return cirrus_bitblt_common_patterncopy(s,
-					    s->vram_ptr +
-                                            (s->cirrus_blt_srcaddr & ~7));
+					    s->vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
+                                            s->cirrus_addr_mask));
 }
 
 static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
@@ -741,8 +761,10 @@
     if (notify)
 	vga_hw_update();
 
-    (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
-		      s->vram_ptr + s->cirrus_blt_srcaddr,
+    (*s->cirrus_rop) (s, s->vram_ptr +
+		      (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+		      s->vram_ptr +
+		      (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
 		      s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
 		      s->cirrus_blt_width, s->cirrus_blt_height);
 
@@ -768,8 +790,14 @@
 		       s->cirrus_blt_srcaddr - s->start_addr,
 		       s->cirrus_blt_width, s->cirrus_blt_height);
     } else {
-	(*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
-			  s->vram_ptr + s->cirrus_blt_srcaddr,
+
+    if (BLTUNSAFE(s))
+        return 0;
+
+	(*s->cirrus_rop) (s, s->vram_ptr +
+                (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+			  s->vram_ptr +
+                (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
 			  s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
 			  s->cirrus_blt_width, s->cirrus_blt_height);
 
@@ -801,8 +829,9 @@
         } else {
             /* at least one scan line */
             do {
-                (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr,
-                                 s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
+                (*s->cirrus_rop)(s, s->vram_ptr +
+                                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+                                  s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
                 cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
                                          s->cirrus_blt_width, 1);
                 s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
@@ -1920,7 +1949,7 @@
     unsigned val = mem_value;
     uint8_t *dst;
 
-    dst = s->vram_ptr + offset;
+    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
@@ -1943,7 +1972,7 @@
     unsigned val = mem_value;
     uint8_t *dst;
 
-    dst = s->vram_ptr + offset;
+    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;

Modified: trunk/hw/cirrus_vga_rop.h
===================================================================
--- trunk/hw/cirrus_vga_rop.h	2008-05-05 17:37:44 UTC (rev 4339)
+++ trunk/hw/cirrus_vga_rop.h	2008-05-05 21:26:31 UTC (rev 4340)
@@ -31,6 +31,12 @@
     int x,y;
     dstpitch -= bltwidth;
     srcpitch -= bltwidth;
+
+    if (dstpitch < 0 || srcpitch < 0) {
+        /* is 0 valid? srcpitch == 0 could be useful */
+        return;
+    }
+
     for (y = 0; y < bltheight; y++) {
         for (x = 0; x < bltwidth; x++) {
             ROP_OP(*dst, *src);