From nobody Mon Feb 9 06:00:42 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490054134731876.3673426880744; Mon, 20 Mar 2017 16:55:34 -0700 (PDT) Received: from localhost ([::1]:35738 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq79B-0006iH-9Q for importer@patchew.org; Mon, 20 Mar 2017 19:55:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41928) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq6R7-00028a-Ez for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:10:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq6Qw-0005IP-FN for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:10:01 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:41772) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cq6Qw-0005Gj-4s for qemu-devel@nongnu.org; Mon, 20 Mar 2017 19:09:50 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2KN8X6A128063 for ; Mon, 20 Mar 2017 19:09:49 -0400 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0a-001b2d01.pphosted.com with ESMTP id 29ambn29ef-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 20 Mar 2017 19:09:48 -0400 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Mar 2017 17:09:48 -0600 Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 20 Mar 2017 17:09:45 -0600 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2KN9j6r10420588; Mon, 20 Mar 2017 16:09:45 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2F52378047; Mon, 20 Mar 2017 17:09:45 -0600 (MDT) Received: from localhost (unknown [9.53.92.194]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id 1A2997803F; Mon, 20 Mar 2017 17:09:45 -0600 (MDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 20 Mar 2017 18:08:36 -0500 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032023-0016-0000-0000-00000668D4DB X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006819; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000206; SDB=6.00836553; UDB=6.00411162; IPR=6.00614322; BA=6.00005224; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00014732; XFM=3.00000013; UTC=2017-03-20 23:09:47 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032023-0017-0000-0000-000038529688 Message-Id: <1490051325-3770-73-git-send-email-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-20_16:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703200196 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 72/81] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620) X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-stable@nongnu.org, Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Gerd Hoffmann CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination and blit width, at all. Oops. Fix it. Security impact: high. The missing blit destination check allows to write to host memory. Basically same as CVE-2014-8106 for the other blit variants. Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann (cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298) Signed-off-by: Michael Roth --- hw/display/cirrus_vga.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 629a5c8..6766349 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -873,6 +873,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) { int w; =20 + if (blit_is_unsafe(s, true)) { + return 0; + } + s->cirrus_blt_mode &=3D ~CIRRUS_BLTMODE_MEMSYSSRC; s->cirrus_srcptr =3D &s->cirrus_bltbuf[0]; s->cirrus_srcptr_end =3D &s->cirrus_bltbuf[0]; @@ -898,6 +902,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) } s->cirrus_srccounter =3D s->cirrus_blt_srcpitch * s->cirrus_blt_he= ight; } + + /* the blit_is_unsafe call above should catch this */ + assert(s->cirrus_blt_srcpitch <=3D CIRRUS_BLTBUFSIZE); + s->cirrus_srcptr =3D s->cirrus_bltbuf; s->cirrus_srcptr_end =3D s->cirrus_bltbuf + s->cirrus_blt_srcpitch; cirrus_update_memory_access(s); --=20 2.7.4