qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: "Marc-André Lureau" <marcandre.lureau@gmail.com>,
	"Mauro Matteo Cascella" <mcascell@redhat.com>
Cc: qemu-devel@nongnu.org, kraxel@redhat.com, jacek.halon@gmail.com,
	Richard Henderson <richard.henderson@linaro.org>
Subject: Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc
Date: Mon, 22 May 2023 20:55:02 +0200	[thread overview]
Message-ID: <fcf99624-9a48-6760-a28d-bb88bce6572f@linaro.org> (raw)
In-Reply-To: <CAJ+F1CK2V22PMYP4PQwH+VYKhR32GKxFK5eRODE928iu3LVodA@mail.gmail.com>

On 9/5/23 09:13, Marc-André Lureau wrote:
> Hi
> 
> On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella 
> <mcascell@redhat.com <mailto:mcascell@redhat.com>> wrote:
> 
>     The cursor_alloc function still accepts a signed integer for both
>     the cursor
>     width and height. A specially crafted negative width/height could
>     make datasize
>     wrap around and cause the next allocation to be 0, potentially
>     leading to a
>     heap buffer overflow. Modify QEMUCursor struct and cursor_alloc
>     prototype to
>     accept unsigned ints.
> 
>     Fixes: CVE-2023-1601
>     Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc
>     (CVE-2021-4206)")
>     Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com
>     <mailto:mcascell@redhat.com>>
>     Reported-by: Jacek Halon <jacek.halon@gmail.com
>     <mailto:jacek.halon@gmail.com>>
> 
> 
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com 
> <mailto:marcandre.lureau@redhat.com>>
> 
> It looks like this is not exploitable, QXL code uses u16 types, and 

0xffff * 0xffff * 4 still overflows on 32-bit host, right?

> VMWare VGA checks for values > 256. Other paths use fixed size.
> 
>     ---
>       include/ui/console.h | 4 ++--
>       ui/cursor.c          | 2 +-
>       2 files changed, 3 insertions(+), 3 deletions(-)
> 
>     diff --git a/include/ui/console.h b/include/ui/console.h
>     index 2a8fab091f..92a4d90a1b 100644
>     --- a/include/ui/console.h
>     +++ b/include/ui/console.h
>     @@ -144,13 +144,13 @@ typedef struct QemuUIInfo {
> 
>       /* cursor data format is 32bit RGBA */
>       typedef struct QEMUCursor {
>     -    int                 width, height;
>     +    uint32_t            width, height;
>           int                 hot_x, hot_y;
>           int                 refcount;
>           uint32_t            data[];
>       } QEMUCursor;
> 
>     -QEMUCursor *cursor_alloc(int width, int height);
>     +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height);
>       QEMUCursor *cursor_ref(QEMUCursor *c);
>       void cursor_unref(QEMUCursor *c);
>       QEMUCursor *cursor_builtin_hidden(void);
>     diff --git a/ui/cursor.c b/ui/cursor.c
>     index 6fe67990e2..b5fcb64839 100644
>     --- a/ui/cursor.c
>     +++ b/ui/cursor.c
>     @@ -90,7 +90,7 @@ QEMUCursor *cursor_builtin_left_ptr(void)
>           return cursor_parse_xpm(cursor_left_ptr_xpm);
>       }
> 
>     -QEMUCursor *cursor_alloc(int width, int height)
>     +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height)
>       {
>           QEMUCursor *c;

Can't we check width/height > 0 && <= SOME_LIMIT_THAT_MAKES_SENSE?

Maybe a 16K * 16K cursor is future proof and safe enough.

>           size_t datasize = width * height * sizeof(uint32_t);
>     -- 
>     2.40.1
> 
> 
> 
> 
> -- 
> Marc-André Lureau



  reply	other threads:[~2023-05-22 18:55 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-08 14:18 [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc Mauro Matteo Cascella
2023-05-09  7:13 ` Marc-André Lureau
2023-05-22 18:55   ` Philippe Mathieu-Daudé [this message]
2023-05-22 19:14     ` Mauro Matteo Cascella
2023-05-23  4:53     ` Gerd Hoffmann
2023-05-23  8:09     ` Daniel P. Berrangé
2023-05-23  8:37       ` Philippe Mathieu-Daudé
2023-05-23 12:57         ` Mauro Matteo Cascella
2023-05-23 14:06           ` Philippe Mathieu-Daudé
2023-05-23 15:17             ` Mauro Matteo Cascella
2023-05-10 18:23 ` Michael Tokarev
2023-05-22 18:05 ` Mauro Matteo Cascella
2023-05-23  8:16 ` Daniel P. Berrangé
2023-05-23 12:50   ` Mauro Matteo Cascella
2023-05-23 13:02     ` Daniel P. Berrangé
2023-05-23 15:02       ` Mauro Matteo Cascella

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fcf99624-9a48-6760-a28d-bb88bce6572f@linaro.org \
    --to=philmd@linaro.org \
    --cc=jacek.halon@gmail.com \
    --cc=kraxel@redhat.com \
    --cc=marcandre.lureau@gmail.com \
    --cc=mcascell@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=richard.henderson@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).