From patchwork Mon Mar 13 14:56:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gonglei (Arei)" X-Patchwork-Id: 9621275 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C4B5B60414 for ; Mon, 13 Mar 2017 15:03:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B6DD728490 for ; Mon, 13 Mar 2017 15:03:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AA080284D8; Mon, 13 Mar 2017 15:03:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 63D8328490 for ; Mon, 13 Mar 2017 15:03:12 +0000 (UTC) Received: from localhost ([::1]:52544 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnRV8-0003Xv-P5 for patchwork-qemu-devel@patchwork.kernel.org; Mon, 13 Mar 2017 11:03:10 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35644) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnROt-0006oK-IE for qemu-devel@nongnu.org; Mon, 13 Mar 2017 10:56:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnROp-0003XE-Lf for qemu-devel@nongnu.org; Mon, 13 Mar 2017 10:56:43 -0400 Received: from [45.249.212.188] (port=2949 helo=dggrg02-dlp.huawei.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71) (envelope-from ) id 1cnROp-0003Ty-0c for qemu-devel@nongnu.org; Mon, 13 Mar 2017 10:56:39 -0400 Received: from 172.30.72.53 (EHLO DGGEMA402-HUB.china.huawei.com) ([172.30.72.53]) by dggrg02-dlp.huawei.com (MOS 4.4.6-GA FastPath queued) with ESMTP id AJW27236; Mon, 13 Mar 2017 22:56:19 +0800 (CST) Received: from DGGEMA505-MBS.china.huawei.com ([169.254.4.26]) by DGGEMA402-HUB.china.huawei.com ([10.3.20.43]) with mapi id 14.03.0301.000; Mon, 13 Mar 2017 22:56:11 +0800 From: "Gonglei (Arei)" To: Gerd Hoffmann , Hangaohuai Thread-Topic: [Qemu-devel] [PATCH] fix :cirrus_vga fix OOB read case qemu Segmentation fault Thread-Index: AQHSm/tSITQ2lAkXMEmBfrNL7RduhaGSRMWAgACTG8A= Date: Mon, 13 Mar 2017 14:56:11 +0000 Message-ID: <33183CC9F5247A488A2544077AF19020DA1E2D1B@DGGEMA505-MBS.china.huawei.com> References: <20170313131029.14044-1-hangaohuai@huawei.com> <1489413307.13264.21.camel@redhat.com> In-Reply-To: <1489413307.13264.21.camel@redhat.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.177.18.62] MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.58C6B315.021A, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.26, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: dd937e798657d67502eb21c06b2d7321 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] [fuzzy] X-Received-From: 45.249.212.188 Subject: Re: [Qemu-devel] [PATCH] fix :cirrus_vga fix OOB read case qemu Segmentation fault X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: fangying , "qemu-devel@nongnu.org" Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Hi Gerd, Thanks for rapid reply :) > -----Original Message----- > From: Gerd Hoffmann [mailto:kraxel@redhat.com] > Sent: Monday, March 13, 2017 9:55 PM > To: Hangaohuai > Cc: qemu-devel@nongnu.org; fangying; Gonglei (Arei) > Subject: Re: [Qemu-devel] [PATCH] fix :cirrus_vga fix OOB read case qemu > Segmentation fault > > > @@ -97,6 +97,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, > ROP_NAME),_8)(CirrusVGAState *s, > > uint8_t p; > > dstpitch -= bltwidth; > > srcpitch -= bltwidth; > > + > > + if (dstpitch < 0 || srcpitch < 0) { > > + return; > > + } > > Shouldn't that be ... > > if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) { > > > ... matching the check of the non-transparent version a few lines up in > the same source file? > Maybe yes, we check this patch after getting your clue: commit d16136d22af0fcf0d651de04c9e3cbc7137cc6f9 Author: Benjamin Herrenschmidt Date: Mon Jul 7 10:32:34 2014 +1000 cirrus: Fix host CPU blits Commit b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef "CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow" broke cpu to video blits. When the ROP function is called from cirrus_bitblt_cputovideo_next(), we pass 0 for the pitch but only operate on one line at a time. The added test was tripping because after the initial substraction, the pitch becomes negative. Make the test only trip when the height is larger than one (ie. the pitch is actually used). This fixes HW cursor support in Windows NT4.0 (which otherwise was a white rectangle) and general display of icons in that OS when using 8bpp mode. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Gerd Hoffmann So does v2 is needed? Thanks, -Gonglei diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h index 9c7bb09..0925a00 100644 --- a/hw/display/cirrus_vga_rop.h +++ b/hw/display/cirrus_vga_rop.h @@ -52,8 +52,7 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s, dstpitch -= bltwidth; srcpitch -= bltwidth; - if (dstpitch < 0 || srcpitch < 0) { - /* is 0 valid? srcpitch == 0 could be useful */ + if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) { return; }