[RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()

Philippe Mathieu-Daudé posted 4 patches 1 year, 4 months ago
Only 3 patches received!
There is a newer version of this series
hw/display/qxl-logger.c | 22 +++++++++++++++++++---
hw/display/qxl-render.c | 11 +++++++----
hw/display/qxl.c        | 25 +++++++++++++++++++------
hw/display/qxl.h        | 23 ++++++++++++++++++++++-
4 files changed, 67 insertions(+), 14 deletions(-)
[RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
Posted by Philippe Mathieu-Daudé 1 year, 4 months ago
memory_region_get_ram_ptr() returns a host pointer for a
MemoryRegion. Sometimes we do offset calculation using this
pointer without checking the underlying MemoryRegion size.

Wenxu Yin reported a buffer overrun in QXL. This series
aims to fix it. I haven't audited the other _get_ram_ptr()
uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
and add a safer helper which checks for overrun.

Worth considering for 7.2?

Regards,

Phil.

Philippe Mathieu-Daudé (4):
  hw/display/qxl: Have qxl_log_command Return early if no log_cmd
    handler
  hw/display/qxl: Document qxl_phys2virt()
  hw/display/qxl: Pass qxl_phys2virt size
  hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()

 hw/display/qxl-logger.c | 22 +++++++++++++++++++---
 hw/display/qxl-render.c | 11 +++++++----
 hw/display/qxl.c        | 25 +++++++++++++++++++------
 hw/display/qxl.h        | 23 ++++++++++++++++++++++-
 4 files changed, 67 insertions(+), 14 deletions(-)

-- 
2.38.1


Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
Posted by Philippe Mathieu-Daudé 1 year, 4 months ago
> Philippe Mathieu-Daudé (4):
>    hw/display/qxl: Have qxl_log_command Return early if no log_cmd
>      handler
>    hw/display/qxl: Document qxl_phys2virt()
>    hw/display/qxl: Pass qxl_phys2virt size
>    hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
> 
>   hw/display/qxl-logger.c | 22 +++++++++++++++++++---
>   hw/display/qxl-render.c | 11 +++++++----
>   hw/display/qxl.c        | 25 +++++++++++++++++++------
>   hw/display/qxl.h        | 23 ++++++++++++++++++++++-
>   4 files changed, 67 insertions(+), 14 deletions(-)

I am having hard time with my MTA:

   4.3.0 Temporary System Problem.  Try again later (2). 
k1-20020a7bc401000000b003cfbe1da539sm5571640wmi.36 - gsmtp

Sorry if this series is mis-posted, I'll try to resend as a
whole later.

Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
Posted by Mauro Matteo Cascella 1 year, 4 months ago
On Fri, Nov 25, 2022 at 4:40 PM Philippe Mathieu-Daudé
<philmd@linaro.org> wrote:
>
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
>
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.

This is now CVE-2022-4144. Please add proper "Fixes:" tag, if possible.

Thank you for the fix.

> Worth considering for 7.2?
>
> Regards,
>
> Phil.
>
> Philippe Mathieu-Daudé (4):
>   hw/display/qxl: Have qxl_log_command Return early if no log_cmd
>     handler
>   hw/display/qxl: Document qxl_phys2virt()
>   hw/display/qxl: Pass qxl_phys2virt size
>   hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
>
>  hw/display/qxl-logger.c | 22 +++++++++++++++++++---
>  hw/display/qxl-render.c | 11 +++++++----
>  hw/display/qxl.c        | 25 +++++++++++++++++++------
>  hw/display/qxl.h        | 23 ++++++++++++++++++++++-
>  4 files changed, 67 insertions(+), 14 deletions(-)
>
> --
> 2.38.1
>


-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0