[v3] vga: check the validation of memory addr when draw text

[Qemu-devel] [PATCH v3] vga: check the validation of memory addr when draw text

linzhecheng posted 1 patch 6 years, 3 months ago

Diff against v2
Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20180111132724.13744-1-linzhecheng@huawei.com

Test checkpatch passed

Test docker passed

Test ppc passed

Test s390x passed

hw/display/vga.c | 3 +++
1 file changed, 3 insertions(+)

Expand all Fold all

[Qemu-devel] [PATCH v3] vga: check the validation of memory addr when draw text

Posted by linzhecheng 6 years, 3 months ago

Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
redhat_5.11.qcow2  -device pcnet -vga cirrus,
then use VNC client to connect to VM, and excute the code below in guest
OS will lead to qemu crash:

int main()
 {
    iopl(3);
    srand(time(NULL));
    int a,b;
    while(1){
	a = rand()%0x100;
	b = 0x3c0 + (rand()%0x20);
        outb(a,b);
    }
    return 0;
}

The above code is writing the registers of VGA randomly.
We can write VGA CRT controller registers index 0x0C or 0x0D
(which is the start address register) to modify the
the display memory address of the upper left pixel
or character of the screen. The address may be out of the
range of vga ram. So we should check the validation of memory address
when reading or writing it to avoid segfault.

Signed-off-by: linzhecheng <linzhecheng@huawei.com>
---
 hw/display/vga.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index a0412000a5..6e78a4e156 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1279,6 +1279,9 @@ static void vga_draw_text(VGACommonState *s, int full_update)
         cx_min = width;
         cx_max = -1;
         for(cx = 0; cx < width; cx++) {
+            if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
+                break;
+            }
             ch_attr = *(uint16_t *)src;
             if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
                 if (cx < cx_min)
-- 
2.12.2.windows.2

Re: [Qemu-devel] [PATCH v3] vga: check the validation of memory addr when draw text

Posted by Gerd Hoffmann 6 years, 3 months ago

On Thu, Jan 11, 2018 at 09:27:24PM +0800, linzhecheng wrote:
> Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
> redhat_5.11.qcow2  -device pcnet -vga cirrus,
> then use VNC client to connect to VM, and excute the code below in guest
> OS will lead to qemu crash:
> 
> int main()
>  {
>     iopl(3);
>     srand(time(NULL));
>     int a,b;
>     while(1){
> 	a = rand()%0x100;
> 	b = 0x3c0 + (rand()%0x20);
>         outb(a,b);
>     }
>     return 0;
> }
> 
> The above code is writing the registers of VGA randomly.
> We can write VGA CRT controller registers index 0x0C or 0x0D
> (which is the start address register) to modify the
> the display memory address of the upper left pixel
> or character of the screen. The address may be out of the
> range of vga ram. So we should check the validation of memory address
> when reading or writing it to avoid segfault.

Patch queued up.

thanks,
  Gerd