[RFC PATCH-for-7.2 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()

Philippe Mathieu-Daudé posted 5 patches 1 year, 4 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20221128134832.84867-1-philmd@linaro.org
Maintainers: Gerd Hoffmann <kraxel@redhat.com>
There is a newer version of this series
hw/display/qxl-logger.c | 22 +++++++++++++++++++---
hw/display/qxl-render.c | 12 ++++++++----
hw/display/qxl.c        | 37 ++++++++++++++++++++++++++++---------
hw/display/qxl.h        | 23 ++++++++++++++++++++++-
4 files changed, 77 insertions(+), 17 deletions(-)
[RFC PATCH-for-7.2 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
Posted by Philippe Mathieu-Daudé 1 year, 4 months ago
Since v1:
- Addressed Marc-André review comments
- Moved overrun check in qxl_get_check_slot_offset()

memory_region_get_ram_ptr() returns a host pointer for a
MemoryRegion. Sometimes we do offset calculation using this
pointer without checking the underlying MemoryRegion size.

Wenxu Yin reported a buffer overrun in QXL. This series
aims to fix it. I haven't audited the other _get_ram_ptr()
uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
and add a safer helper which checks for overrun.

Worth considering for 7.2?

Regards,

Phil.

Philippe Mathieu-Daudé (5):
  hw/display/qxl: Have qxl_log_command Return early if no log_cmd
    handler
  hw/display/qxl: Document qxl_phys2virt()
  hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
  hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
  hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion

 hw/display/qxl-logger.c | 22 +++++++++++++++++++---
 hw/display/qxl-render.c | 12 ++++++++----
 hw/display/qxl.c        | 37 ++++++++++++++++++++++++++++---------
 hw/display/qxl.h        | 23 ++++++++++++++++++++++-
 4 files changed, 77 insertions(+), 17 deletions(-)

-- 
2.38.1


Re: [RFC PATCH-for-7.2 v2 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
Posted by Philippe Mathieu-Daudé 1 year, 4 months ago
On 28/11/22 14:48, Philippe Mathieu-Daudé wrote:
> Since v1:
> - Addressed Marc-André review comments
> - Moved overrun check in qxl_get_check_slot_offset()
> 
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
> 
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.
> 
> Worth considering for 7.2?
> 
> Regards,
> 
> Phil.

This series is v2...

v1 was 
https://lore.kernel.org/qemu-devel/20221125154030.42108-1-philmd@linaro.org/

Re: [RFC PATCH-for-7.2 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
Posted by Stefan Hajnoczi 1 year, 4 months ago
On Mon, 28 Nov 2022 at 08:50, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> Since v1:
> - Addressed Marc-André review comments
> - Moved overrun check in qxl_get_check_slot_offset()
>
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
>
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.
>
> Worth considering for 7.2?

Yes, please. If Gerd is happy I'll merge it.

Stefan

>
> Regards,
>
> Phil.
>
> Philippe Mathieu-Daudé (5):
>   hw/display/qxl: Have qxl_log_command Return early if no log_cmd
>     handler
>   hw/display/qxl: Document qxl_phys2virt()
>   hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
>   hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
>   hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion
>
>  hw/display/qxl-logger.c | 22 +++++++++++++++++++---
>  hw/display/qxl-render.c | 12 ++++++++----
>  hw/display/qxl.c        | 37 ++++++++++++++++++++++++++++---------
>  hw/display/qxl.h        | 23 ++++++++++++++++++++++-
>  4 files changed, 77 insertions(+), 17 deletions(-)
>
> --
> 2.38.1
>
>