|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-upstream-unstable] vnc: fix memory corruption (CVE-2015-5225)
commit 604ad155f685162b18ddb2446ca03ec9fe7901ce
Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
AuthorDate: Fri Aug 21 20:59:27 2015 +0200
Commit: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
CommitDate: Fri Aug 21 22:10:58 2015 +0000
vnc: fix memory corruption (CVE-2015-5225)
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative. Result is (possibly
exploitable) memory corruption. Reason for that is it uses the stride
instead of bytes per scanline to apply limits.
For the server surface is is actually fine. vnc creates that itself,
there is never any padding and thus scanline length always equals stride.
For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way. So add and use a new variable
(guest_ll) for the guest scanline length. Also rename min_stride to
line_bytes to make more clear what it actually is. Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.
Reported-by: è??ç¥?è?³(åº?ç?¹) <zuozhi.fzz@xxxxxxxxxxxxxxx>
Reviewed-by: P J P <ppandit@xxxxxxxxxx>
Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
---
ui/vnc.c | 15 ++++++++++-----
1 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 5707015..db4d97e 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2689,7 +2689,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
pixman_image_get_width(vd->server));
int height = MIN(pixman_image_get_height(vd->guest.fb),
pixman_image_get_height(vd->server));
- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
+ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
uint8_t *guest_row0 = NULL, *server_row0;
VncState *vs;
int has_dirty = 0;
@@ -2708,17 +2708,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
* Update server dirty map.
*/
server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
- server_stride = guest_stride = pixman_image_get_stride(vd->server);
+ server_stride = guest_stride = guest_ll =
+ pixman_image_get_stride(vd->server);
cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
server_stride);
if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
int width = pixman_image_get_width(vd->server);
tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
} else {
+ int guest_bpp =
+ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
guest_stride = pixman_image_get_stride(vd->guest.fb);
+ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) /
8);
}
- min_stride = MIN(server_stride, guest_stride);
+ line_bytes = MIN(server_stride, guest_ll);
for (;;) {
int x;
@@ -2749,9 +2753,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
continue;
}
- if ((x + 1) * cmp_bytes > min_stride) {
- _cmp_bytes = min_stride - x * cmp_bytes;
+ if ((x + 1) * cmp_bytes > line_bytes) {
+ _cmp_bytes = line_bytes - x * cmp_bytes;
}
+ assert(_cmp_bytes >= 0);
if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
continue;
}
--
generated by git-patchbot for /home/xen/git/qemu-upstream-unstable.git
_______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |