mbox series

[RFC,PATCH-for-7.2,0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()

Message ID 20221128134832.84867-1-philmd@linaro.org (mailing list archive)
Headers show
Series hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() | expand

Message

Philippe Mathieu-Daudé Nov. 28, 2022, 1:48 p.m. UTC
Since v1:
- Addressed Marc-André review comments
- Moved overrun check in qxl_get_check_slot_offset()

memory_region_get_ram_ptr() returns a host pointer for a
MemoryRegion. Sometimes we do offset calculation using this
pointer without checking the underlying MemoryRegion size.

Wenxu Yin reported a buffer overrun in QXL. This series
aims to fix it. I haven't audited the other _get_ram_ptr()
uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
and add a safer helper which checks for overrun.

Worth considering for 7.2?

Regards,

Phil.

Philippe Mathieu-Daudé (5):
  hw/display/qxl: Have qxl_log_command Return early if no log_cmd
    handler
  hw/display/qxl: Document qxl_phys2virt()
  hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
  hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
  hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion

 hw/display/qxl-logger.c | 22 +++++++++++++++++++---
 hw/display/qxl-render.c | 12 ++++++++----
 hw/display/qxl.c        | 37 ++++++++++++++++++++++++++++---------
 hw/display/qxl.h        | 23 ++++++++++++++++++++++-
 4 files changed, 77 insertions(+), 17 deletions(-)

Comments

Philippe Mathieu-Daudé Nov. 28, 2022, 1:51 p.m. UTC | #1
On 28/11/22 14:48, Philippe Mathieu-Daudé wrote:
> Since v1:
> - Addressed Marc-André review comments
> - Moved overrun check in qxl_get_check_slot_offset()
> 
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
> 
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.
> 
> Worth considering for 7.2?
> 
> Regards,
> 
> Phil.

This series is v2...

v1 was 
https://lore.kernel.org/qemu-devel/20221125154030.42108-1-philmd@linaro.org/
Stefan Hajnoczi Nov. 28, 2022, 3:19 p.m. UTC | #2
On Mon, 28 Nov 2022 at 08:50, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> Since v1:
> - Addressed Marc-André review comments
> - Moved overrun check in qxl_get_check_slot_offset()
>
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
>
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.
>
> Worth considering for 7.2?

Yes, please. If Gerd is happy I'll merge it.

Stefan

>
> Regards,
>
> Phil.
>
> Philippe Mathieu-Daudé (5):
>   hw/display/qxl: Have qxl_log_command Return early if no log_cmd
>     handler
>   hw/display/qxl: Document qxl_phys2virt()
>   hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
>   hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
>   hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion
>
>  hw/display/qxl-logger.c | 22 +++++++++++++++++++---
>  hw/display/qxl-render.c | 12 ++++++++----
>  hw/display/qxl.c        | 37 ++++++++++++++++++++++++++++---------
>  hw/display/qxl.h        | 23 ++++++++++++++++++++++-
>  4 files changed, 77 insertions(+), 17 deletions(-)
>
> --
> 2.38.1
>
>