xenbits.xensource.com Git - qemu-upstream-4.5-testing.git/commit

author	Gerd Hoffmann <kraxel@redhat.com>
	Tue, 21 Feb 2017 18:54:59 +0000 (10:54 -0800)
committer	Stefano Stabellini <sstabellini@kernel.org>
	Tue, 21 Feb 2017 19:19:06 +0000 (11:19 -0800)
commit	ad0d3c66fa90fabc988311fd654f79c3131a4027
tree	f1480a0ebb8149e689a038d0398beffdb25666d1	tree
parent	d75658d557b55d7c350d485c1bde8c43e6128739	commit \| diff

cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo

CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all.  Oops.  Fix it.

Security impact: high.

The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.

The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.

Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed.  Once the first byte has been modified further writes land
elsewhere.

[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]

Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>