From nobody Fri Nov 7 11:17:30 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (209.51.188.17 [209.51.188.17]) by mx.zohomail.com with SMTPS id 1547832819341976.0137835920082; Fri, 18 Jan 2019 09:33:39 -0800 (PST) Received: from localhost ([127.0.0.1]:44366 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkY1F-0003t4-IX for importer@patchew.org; Fri, 18 Jan 2019 12:33:25 -0500 Received: from eggs.gnu.org ([209.51.188.92]:58365) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkXzR-0002vD-Hy for qemu-devel@nongnu.org; Fri, 18 Jan 2019 12:31:34 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gkXzQ-0003Y5-E8 for qemu-devel@nongnu.org; Fri, 18 Jan 2019 12:31:33 -0500 Received: from mx1.redhat.com ([209.132.183.28]:55835) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gkXzQ-0003EF-29 for qemu-devel@nongnu.org; Fri, 18 Jan 2019 12:31:32 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B421DB947 for ; Fri, 18 Jan 2019 17:31:17 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id AF6E15D964; Fri, 18 Jan 2019 17:31:16 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Fri, 18 Jan 2019 17:31:00 +0000 Message-Id: <20190118173103.4903-2-berrange@redhat.com> In-Reply-To: <20190118173103.4903-1-berrange@redhat.com> References: <20190118173103.4903-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 18 Jan 2019 17:31:17 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v2 1/4] display: ensure qxl log_buf is a nul terminated string X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alex Williamson , Gerd Hoffmann , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" The QXL_IO_LOG command allows the guest to send log messages to the host via a buffer in the QXLRam struct. QEMU prints these to the console if the qxl 'guestdebug' option is set to non-zero. It will also feed them to the trace subsystem if any backends are built-in. In both cases the log_buf data will get treated as being as a nul terminated string, by the printf '%s' format specifier and / or other code reading the buffer. QEMU does nothing to guarantee that the log_buf really is nul terminated, so there is potential for out of bounds array access. This would affect any QEMU which has the log, syslog or ftrace trace backends built into QEMU. It can only be triggered if the 'qxl_io_log' trace event is enabled, however, so they are not vulnerable without specific administrative action to enable this. It would also affect QEMU if the 'guestdebug' parameter is set to a non-zero value, which again is not the default and requires explicit admin opt-in. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake Reviewed-by: Gerd Hoffmann --- hw/display/qxl.c | 3 ++- hw/display/trace-events | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 8e9a65e75b..eefdf4baac 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -1763,7 +1763,8 @@ async_common: qxl_set_mode(d, val, 0); break; case QXL_IO_LOG: - trace_qxl_io_log(d->id, d->ram->log_buf); + d->ram->log_buf[sizeof(d->ram->log_buf) - 1] =3D '\0'; + trace_qxl_io_log(d->id, (const char *)d->ram->log_buf); if (d->guestdebug) { fprintf(stderr, "qxl/guest-%d: %" PRId64 ": %s", d->id, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), d->ram->log_buf= ); diff --git a/hw/display/trace-events b/hw/display/trace-events index 5a48c6cb6a..387c6b8931 100644 --- a/hw/display/trace-events +++ b/hw/display/trace-events @@ -72,7 +72,7 @@ qxl_interface_update_area_complete_rest(int qid, uint32_t= num_updated_rects) "%d qxl_interface_update_area_complete_overflow(int qid, int max) "%d max=3D%d" qxl_interface_update_area_complete_schedule_bh(int qid, uint32_t num_dirty= ) "%d #dirty=3D%d" qxl_io_destroy_primary_ignored(int qid, const char *mode) "%d %s" -qxl_io_log(int qid, const uint8_t *log_buf) "%d %s" +qxl_io_log(int qid, const char *log_buf) "%d %s" qxl_io_read_unexpected(int qid) "%d" qxl_io_unexpected_vga_mode(int qid, uint64_t addr, uint64_t val, const cha= r *desc) "%d 0x%"PRIx64"=3D%"PRIu64" (%s)" qxl_io_write(int qid, const char *mode, uint64_t addr, const char *aname, = uint64_t val, unsigned size, int async) "%d %s addr=3D%"PRIu64 " (%s) val= =3D%"PRIu64" size=3D%u async=3D%d" --=20 2.20.1