mbox series

[RFC,PATCH-for-7.2,v3,0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()

Message ID 20221128202741.4945-1-philmd@linaro.org (mailing list archive)
Headers show
Series hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() | expand

Message

Philippe Mathieu-Daudé Nov. 28, 2022, 8:27 p.m. UTC
Since v2:
- Do not abort checking guest-provided addresses (Stefan)
- Handle chunked QEMUCursor (Gerd)

Since v1:
- Moved overrun check in qxl_get_check_slot_offset (Marc-André)

memory_region_get_ram_ptr() returns a host pointer for a
MemoryRegion. Sometimes we do offset calculation using this
pointer without checking the underlying MemoryRegion size.

Wenxu Yin reported a buffer overrun in QXL. This series
aims to fix it. I haven't audited the other _get_ram_ptr()
uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
and add a safer helper which checks for overrun.

Worth considering for 7.2?

Regards,

Phil.

Philippe Mathieu-Daudé (5):
  hw/display/qxl: Have qxl_log_command Return early if no log_cmd
    handler
  hw/display/qxl: Document qxl_phys2virt()
  hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
  hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
  hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion

 hw/display/qxl-logger.c | 22 ++++++++++++++++++---
 hw/display/qxl-render.c | 20 ++++++++++++++++----
 hw/display/qxl.c        | 42 ++++++++++++++++++++++++++++++++---------
 hw/display/qxl.h        | 23 +++++++++++++++++++++-
 4 files changed, 90 insertions(+), 17 deletions(-)

Comments

Stefan Hajnoczi Nov. 30, 2022, 7:45 p.m. UTC | #1
On Mon, 28 Nov 2022 at 15:30, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> Since v2:
> - Do not abort checking guest-provided addresses (Stefan)
> - Handle chunked QEMUCursor (Gerd)
>
> Since v1:
> - Moved overrun check in qxl_get_check_slot_offset (Marc-André)
>
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
>
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.
>
> Worth considering for 7.2?

Merged, thanks!

Stefan