From nobody Wed May 8 07:07:45 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1630942270; cv=none; d=zohomail.com; s=zohoarc; b=Uo8bs/QritFRf5Tt5pfLyPRPTJQGmF9WmTS1I7Z+rdVaxhtyxoSfoUkw4BiN1UfWtT3zUFkNWFTelvSmmd+lhDE3AtcMCteQovrQyNXIL0GkahBdhl9U+l7mUQpoyXNl9smFVYuCtc/Q/ewYDH+peCg1riEPrMIuHT5y09IRxeY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1630942270; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To; bh=8HN+vdAfb7l5l4ktM4RgD9yOf/ACG+43u8pG3uz6HEE=; b=MtBwZPAlpS1ZIoSjV2lDpp2KXJAROwisbg/+23l/YVNIjCI/wcpgeHDOxvns3RYVJuRPMEJpaNVkM5HFziIO0bKsCHi3/C22T25mtj7o3NqIbuXqirUHz1yu9R+PnOKIk3tVHReMmpSq2MxkxvwSYV8MIMgY0trMShyIQIKzLNQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1630942270882785.0394903989425; Mon, 6 Sep 2021 08:31:10 -0700 (PDT) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-193-uuaEcxDPMAip4LOXBLzyEQ-1; Mon, 06 Sep 2021 11:31:08 -0400 Received: by mail-wr1-f70.google.com with SMTP id h15-20020adff18f000000b001574654fbc2so1287873wro.10 for ; Mon, 06 Sep 2021 08:31:08 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.redhat.com (21.red-83-52-55.dynamicip.rima-tde.net. [83.52.55.21]) by smtp.gmail.com with ESMTPSA id o2sm8659052wrh.13.2021.09.06.08.31.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Sep 2021 08:31:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630942269; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8HN+vdAfb7l5l4ktM4RgD9yOf/ACG+43u8pG3uz6HEE=; b=T2A4zM8esLj6nt2lZA0cqdwYJwnnbUk7GY4JkP84GpGpf3NzjGRGV5b2cVfkWq2DN3969X vao5RRAtXZYJN2unmHXJVmMks+u9q7z/xrd6zI1LiEeOpNbMzyBXLTEm5Nez6brYxFdxcf z/MtbSfaNmbhi2WBLnaNUnlAg+udjn0= X-MC-Unique: uuaEcxDPMAip4LOXBLzyEQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8HN+vdAfb7l5l4ktM4RgD9yOf/ACG+43u8pG3uz6HEE=; b=nRohNThOq9uwTLBcA/Z0myTdwTJrXb0ViwBT8h5lDMSkLGbVCjC2UQHYftOwux2UB6 lwXk9HVBvQoLfXcO9p342eZtQ8U8TlZ6rD4bT0/5LAkIhCfsuRIK0wEGBb/JzS1arDrA TvLokZjWBYYx1aa1pVUPs44W66z9OykIFJ+DgnEfo9cXQmbvkru2kGgm+3sT7xgxKFta FLL7EQUDH4Q609IT83Ndqji58Ya+wcfX6Ldk7F8f+wRT42BKJSPwuLK9nkHR7whXAP5E FpQ/1Iv1GrjoxvjVB1sPfGcwBi2EhwKDvxm8Jlf7eEJkZ0hHiiU6j8c+6iOWd0PWqWQA DuRw== X-Gm-Message-State: AOAM533E9CDHnG6S5MNWIW3HjLiDJM/fTZkOR5l8zWhDP/pl0i/9FkV1 70NmLbWKXysf1S4KZ3oQgvkYUiAaeZR3chs+k+qPp2urhA+Ezw05wSUwR/LX/1UCSTh76x3q54g Em0JjSC6oskWc5A== X-Received: by 2002:adf:d231:: with SMTP id k17mr14098518wrh.389.1630942266273; Mon, 06 Sep 2021 08:31:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxdDRVithqv+wbi2kYNmQg7zBpSn4qcfMEEDnrOMkx6xnsPnXQbW1B9rp4y5gD1TXNzL8LEAg== X-Received: by 2002:adf:d231:: with SMTP id k17mr14098486wrh.389.1630942266087; Mon, 06 Sep 2021 08:31:06 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Prasad J Pandit , Ziming Zhang , BALATON Zoltan , Gaoning Pan , Mauro Matteo Cascella , Gerd Hoffmann , Salvatore Bonaccorso , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Qiang Liu Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) Date: Mon, 6 Sep 2021 17:31:03 +0200 Message-Id: <20210906153103.1661195-1-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1630942272587100001 When building QEMU with DEBUG_ATI defined then running with '-device ati-vga,romfile=3D"" -d unimp,guest_errors -trace ati\*' we get: ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 ati_mm_write 4 0x1420 DST_Y <- 0x3fff ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:= 32 rop:0xff ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y= :16383, w:16383, h:16383, xor:0xff000000) Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. (gdb) bt #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 #2 0x0000555557b5a9af in ati_2d_blt (s=3D0x631000028800) at hw/display/a= ti_2d.c:196 #3 0x0000555557b4b5a2 in ati_mm_write (opaque=3D0x631000028800, addr=3D5= 512, data=3D1073692671, size=3D4) at hw/display/ati.c:843 #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=3D0x631000039c= c0, addr=3D5512, ..., size=3D4, ...) at softmmu/memory.c:492 Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced the local dst_x and dst_y which adjust the (x, y) coordinates depending on the direction in the SRCCOPY ROP3 operation, but forgot to address the same issue for the PATCOPY, BLACKNESS and WHITENESS operations, which also call pixman_fill(). Fix that now by using the adjusted coordinates in the pixman_fill call, and update the related debug printf(). Reported-by: Qiang Liu Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts") Signed-off-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Mauro Matteo Cascella --- hw/display/ati_2d.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c index 4dc10ea7952..692bec91de4 100644 --- a/hw/display/ati_2d.c +++ b/hw/display/ati_2d.c @@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, - s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, + s->regs.src_x, s->regs.src_y, dst_x, dst_y, s->regs.dst_width, s->regs.dst_height, (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); @@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) dst_stride /=3D sizeof(uint32_t); DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", dst_bits, dst_stride, bpp, - s->regs.dst_x, s->regs.dst_y, + dst_x, dst_y, s->regs.dst_width, s->regs.dst_height, filler); pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, - s->regs.dst_x, s->regs.dst_y, + dst_x, dst_y, s->regs.dst_width, s->regs.dst_height, filler); if (dst_bits >=3D s->vga.vram_ptr + s->vga.vbe_start_addr && --=20 2.31.1