[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen staging-4.10] vga: check the validation of memory addr when draw text



commit d2283aa233a0b948915a0e956a6e8af6c07a26f1
Author:     linzhecheng <linzhecheng@xxxxxxxxxx>
AuthorDate: Thu Jan 11 21:27:24 2018 +0800
Commit:     Anthony PERARD <anthony.perard@xxxxxxxxxx>
CommitDate: Mon Apr 1 17:09:57 2019 +0100

    vga: check the validation of memory addr when draw text
    
    Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
    redhat_5.11.qcow2  -device pcnet -vga cirrus,
    then use VNC client to connect to VM, and excute the code below in guest
    OS will lead to qemu crash:
    
    int main()
     {
        iopl(3);
        srand(time(NULL));
        int a,b;
        while(1){
            a = rand()%0x100;
            b = 0x3c0 + (rand()%0x20);
            outb(a,b);
        }
        return 0;
    }
    
    The above code is writing the registers of VGA randomly.
    We can write VGA CRT controller registers index 0x0C or 0x0D
    (which is the start address register) to modify the
    the display memory address of the upper left pixel
    or character of the screen. The address may be out of the
    range of vga ram. So we should check the validation of memory address
    when reading or writing it to avoid segfault.
    
    Signed-off-by: linzhecheng <linzhecheng@xxxxxxxxxx>
    Message-id: 20180111132724.13744-1-linzhecheng@xxxxxxxxxx
    Fixes: CVE-2018-5683
    Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
    (cherry picked from commit 191f59dc17396bb5a8da50f8c59b6e0a430711a4)
---
 hw/display/vga.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index 06ca3daa4c..b1cdf36cfa 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1280,6 +1280,9 @@ static void vga_draw_text(VGACommonState *s, int 
full_update)
         cx_min = width;
         cx_max = -1;
         for(cx = 0; cx < width; cx++) {
+            if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
+                break;
+            }
             ch_attr = *(uint16_t *)src;
             if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
                 if (cx < cx_min)
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#staging-4.10

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.