| Message ID | 20221128134832.84867-1-philmd@linaro.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() | expand |
On 28/11/22 14:48, Philippe Mathieu-Daudé wrote: > Since v1: > - Addressed Marc-André review comments > - Moved overrun check in qxl_get_check_slot_offset() > > memory_region_get_ram_ptr() returns a host pointer for a > MemoryRegion. Sometimes we do offset calculation using this > pointer without checking the underlying MemoryRegion size. > > Wenxu Yin reported a buffer overrun in QXL. This series > aims to fix it. I haven't audited the other _get_ram_ptr() > uses (yet). Eventually we could rename it _get_ram_ptr_unsafe > and add a safer helper which checks for overrun. > > Worth considering for 7.2? > > Regards, > > Phil. This series is v2... v1 was https://lore.kernel.org/qemu-devel/20221125154030.42108-1-philmd@linaro.org/
On Mon, 28 Nov 2022 at 08:50, Philippe Mathieu-Daudé <philmd@linaro.org> wrote: > > Since v1: > - Addressed Marc-André review comments > - Moved overrun check in qxl_get_check_slot_offset() > > memory_region_get_ram_ptr() returns a host pointer for a > MemoryRegion. Sometimes we do offset calculation using this > pointer without checking the underlying MemoryRegion size. > > Wenxu Yin reported a buffer overrun in QXL. This series > aims to fix it. I haven't audited the other _get_ram_ptr() > uses (yet). Eventually we could rename it _get_ram_ptr_unsafe > and add a safer helper which checks for overrun. > > Worth considering for 7.2? Yes, please. If Gerd is happy I'll merge it. Stefan > > Regards, > > Phil. > > Philippe Mathieu-Daudé (5): > hw/display/qxl: Have qxl_log_command Return early if no log_cmd > handler > hw/display/qxl: Document qxl_phys2virt() > hw/display/qxl: Pass requested buffer size to qxl_phys2virt() > hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) > hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion > > hw/display/qxl-logger.c | 22 +++++++++++++++++++--- > hw/display/qxl-render.c | 12 ++++++++---- > hw/display/qxl.c | 37 ++++++++++++++++++++++++++++--------- > hw/display/qxl.h | 23 ++++++++++++++++++++++- > 4 files changed, 77 insertions(+), 17 deletions(-) > > -- > 2.38.1 > >
Since v1: - Addressed Marc-André review comments - Moved overrun check in qxl_get_check_slot_offset() memory_region_get_ram_ptr() returns a host pointer for a MemoryRegion. Sometimes we do offset calculation using this pointer without checking the underlying MemoryRegion size. Wenxu Yin reported a buffer overrun in QXL. This series aims to fix it. I haven't audited the other _get_ram_ptr() uses (yet). Eventually we could rename it _get_ram_ptr_unsafe and add a safer helper which checks for overrun. Worth considering for 7.2? Regards, Phil. Philippe Mathieu-Daudé (5): hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler hw/display/qxl: Document qxl_phys2virt() hw/display/qxl: Pass requested buffer size to qxl_phys2virt() hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion hw/display/qxl-logger.c | 22 +++++++++++++++++++--- hw/display/qxl-render.c | 12 ++++++++---- hw/display/qxl.c | 37 ++++++++++++++++++++++++++++--------- hw/display/qxl.h | 23 ++++++++++++++++++++++- 4 files changed, 77 insertions(+), 17 deletions(-)