[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen-traditional stable-4.8] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
commit b77d58b59ff0688e4aeb933450d07716ca0fb1f2 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> AuthorDate: Wed Feb 22 16:25:19 2017 +0000 Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> CommitDate: Wed Feb 22 16:26:27 2017 +0000 cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination and blit width, at all. Oops. Fix it. Security impact: high. The missing blit destination check allows to write to host memory. Basically same as CVE-2014-8106 for the other blit variants. The missing blit width check allows to overflow cirrus_bltbuf, with the attractive target cirrus_srcptr (current cirrus_bltbuf write position) being located right after cirrus_bltbuf in CirrusVGAState. Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker hasn't full control over cirrus_srcptr though, only one byte can be changed. Once the first byte has been modified further writes land elsewhere. [ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj Reported-by: Gerd Hoffmann <ghoffman@xxxxxxxxxx> Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> (cherry picked from commit 83256b312acfddda34d96e9bba30e93387481091) --- hw/cirrus_vga.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c index 364e22d..06b4a3b 100644 --- a/hw/cirrus_vga.c +++ b/hw/cirrus_vga.c @@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) { int w; + if (blit_is_unsafe(s)) { + return 0; + } + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; s->cirrus_srcptr = &s->cirrus_bltbuf[0]; s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; @@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) } s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; } + + /* the blit_is_unsafe call above should catch this */ + assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); + s->cirrus_srcptr = s->cirrus_bltbuf; s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; cirrus_update_memory_access(s); -- generated by git-patchbot for /home/xen/git/qemu-xen-traditional.git#stable-4.8 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |