From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-devel@nongnu.org, kraxel@redhat.com,
marcandre.lureau@redhat.com, jacek.halon@gmail.com
Subject: Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc
Date: Tue, 23 May 2023 09:16:47 +0100 [thread overview]
Message-ID: <ZGx2bzKuwO6e4E2L@redhat.com> (raw)
In-Reply-To: <20230508141813.1086562-1-mcascell@redhat.com>
On Mon, May 08, 2023 at 04:18:13PM +0200, Mauro Matteo Cascella wrote:
> The cursor_alloc function still accepts a signed integer for both the cursor
> width and height. A specially crafted negative width/height could make datasize
> wrap around and cause the next allocation to be 0, potentially leading to a
> heap buffer overflow. Modify QEMUCursor struct and cursor_alloc prototype to
> accept unsigned ints.
>
I concur with Marc-Andre that there is no code path that can
actually trigger an overflow:
hw/display/ati.c: s->cursor = cursor_alloc(64, 64);
hw/display/vhost-user-gpu.c: s->current_cursor = cursor_alloc(64, 64);
hw/display/virtio-gpu.c: s->current_cursor = cursor_alloc(64, 64);
Not exploitable as fixed size
hw/display/qxl-render.c: c = cursor_alloc(cursor->header.width, cursor->header.height);
Cursor header defined as:
typedef struct SPICE_ATTR_PACKED QXLCursorHeader {
uint64_t unique;
uint16_t type;
uint16_t width;
uint16_t height;
uint16_t hot_spot_x;
uint16_t hot_spot_y;
} QXLCursorHeader;
So no negative values can be passed to cursor_alloc()
hw/display/vmware_vga.c: qc = cursor_alloc(c->width, c->height);
Where 'c' is defined as:
struct vmsvga_cursor_definition_s {
uint32_t width;
uint32_t height;
int id;
uint32_t bpp;
int hot_x;
int hot_y;
uint32_t mask[1024];
uint32_t image[4096];
};
and is also already bounds checked:
if (cursor.width > 256
|| cursor.height > 256
|| cursor.bpp > 32
|| SVGA_BITMAP_SIZE(x, y) > ARRAY_SIZE(cursor.mask)
|| SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
> ARRAY_SIZE(cursor.image)) {
goto badcmd;
}
> Fixes: CVE-2023-1601
> Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)")
Given there is no possible codepath that can overflow, CVE-2023-1601
looks invalid to me. It should be clsoed as not-a-bug and these two
Fixes lines removed.
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> Reported-by: Jacek Halon <jacek.halon@gmail.com>
> ---
> include/ui/console.h | 4 ++--
> ui/cursor.c | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
Even though it isn't fixing a bug, the change itself still makes
sense, because there's no reason a negative width/height is ever
appropriate. This protects us against accidentally introducing
future bugs, so with the two CVE Fixes lines removed:
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
>
> diff --git a/include/ui/console.h b/include/ui/console.h
> index 2a8fab091f..92a4d90a1b 100644
> --- a/include/ui/console.h
> +++ b/include/ui/console.h
> @@ -144,13 +144,13 @@ typedef struct QemuUIInfo {
>
> /* cursor data format is 32bit RGBA */
> typedef struct QEMUCursor {
> - int width, height;
> + uint32_t width, height;
> int hot_x, hot_y;
> int refcount;
> uint32_t data[];
> } QEMUCursor;
>
> -QEMUCursor *cursor_alloc(int width, int height);
> +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height);
> QEMUCursor *cursor_ref(QEMUCursor *c);
> void cursor_unref(QEMUCursor *c);
> QEMUCursor *cursor_builtin_hidden(void);
> diff --git a/ui/cursor.c b/ui/cursor.c
> index 6fe67990e2..b5fcb64839 100644
> --- a/ui/cursor.c
> +++ b/ui/cursor.c
> @@ -90,7 +90,7 @@ QEMUCursor *cursor_builtin_left_ptr(void)
> return cursor_parse_xpm(cursor_left_ptr_xpm);
> }
>
> -QEMUCursor *cursor_alloc(int width, int height)
> +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height)
> {
> QEMUCursor *c;
> size_t datasize = width * height * sizeof(uint32_t);
> --
> 2.40.1
>
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2023-05-23 8:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 14:18 [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc Mauro Matteo Cascella
2023-05-09 7:13 ` Marc-André Lureau
2023-05-22 18:55 ` Philippe Mathieu-Daudé
2023-05-22 19:14 ` Mauro Matteo Cascella
2023-05-23 4:53 ` Gerd Hoffmann
2023-05-23 8:09 ` Daniel P. Berrangé
2023-05-23 8:37 ` Philippe Mathieu-Daudé
2023-05-23 12:57 ` Mauro Matteo Cascella
2023-05-23 14:06 ` Philippe Mathieu-Daudé
2023-05-23 15:17 ` Mauro Matteo Cascella
2023-05-10 18:23 ` Michael Tokarev
2023-05-22 18:05 ` Mauro Matteo Cascella
2023-05-23 8:16 ` Daniel P. Berrangé [this message]
2023-05-23 12:50 ` Mauro Matteo Cascella
2023-05-23 13:02 ` Daniel P. Berrangé
2023-05-23 15:02 ` Mauro Matteo Cascella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGx2bzKuwO6e4E2L@redhat.com \
--to=berrange@redhat.com \
--cc=jacek.halon@gmail.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mcascell@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).