From: Li Qiang Date: Mon, 13 Feb 2017 15:22:15 +0000 (+0000) Subject: cirrus: fix oob access issue (CVE-2017-2615) X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=6a207f06f62a58e5d56f463722bb23135cd1cc20;p=qemu-xen-traditional.git cirrus: fix oob access issue (CVE-2017-2615) When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. This is XSA-208. upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Signed-off-by: Li Qiang { kraxel: with backward blits (negative pitch) addr is the topmost address, so check it as-is against vram size ] [ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] Cc: qemu-stable@nongnu.org Cc: P J P Cc: Laszlo Ersek Cc: Paolo Bonzini Cc: Wolfgang Bumiller Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) Signed-off-by: Gerd Hoffmann Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com Reviewed-by: Laszlo Ersek Signed-off-by: Stefano Stabellini Signed-off-by: Ian Jackson (cherry picked from commit c4018bc4d638918b3f8fb49dd3b379abb5658ee1) (cherry picked from commit a1d57bb66d5f7e3a86e47c01431c823e217b23ab) (cherry picked from commit a20cf3a6edd051f2f2eb734a7bcda6c6246740ff) (cherry picked from commit d0360192b805d13353b0bb100fe0cf927a2861e7) --- diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c index 00736d21..1b5106c8 100644 --- a/hw/cirrus_vga.c +++ b/hw/cirrus_vga.c @@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, { if (pitch < 0) { int64_t min = addr - + ((int64_t)s->cirrus_blt_height-1) * pitch; - int32_t max = addr - + s->cirrus_blt_width; - if (min < 0 || max >= s->vram_size) { + + ((int64_t)s->cirrus_blt_height - 1) * pitch + - s->cirrus_blt_width; + if (min < -1 || addr >= s->vram_size) { return true; } } else {