]> xenbits.xensource.com Git - qemu-upstream-4.6-testing.git/commit
projects / qemu-upstream-4.6-testing.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 57901a6) | patch
cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
authorGerd Hoffmann <kraxel@redhat.com>
Tue, 21 Feb 2017 18:54:59 +0000 (10:54 -0800)
committerStefano Stabellini <sstabellini@kernel.org>
Tue, 21 Feb 2017 19:08:56 +0000 (11:08 -0800)
commit722ce03b32f37ef5af09105727b574339326d354
treecfe68beb297797cac4780e2358f1dae5693b4373tree
parent57901a6693118bbe072ce149806e475c6f4bad5bcommit | diff
cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo

CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all.  Oops.  Fix it.

Security impact: high.

The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.

The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.

Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed.  Once the first byte has been modified further writes land
elsewhere.

[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]

Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
hw/display/cirrus_vga.c diff | blob | history
Obsolete Upstream Qemu based repository for xen-4.6-testing