From patchwork Sun Dec 20 18:06:06 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Dreier X-Patchwork-Id: 41512 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 2120BB6F10 for ; Mon, 21 Dec 2009 05:09:52 +1100 (EST) Received: from localhost ([127.0.0.1]:55001 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NMQE1-0002kJ-0J for incoming@patchwork.ozlabs.org; Sun, 20 Dec 2009 13:09:49 -0500 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NMQAZ-0001V9-NC for qemu-devel@nongnu.org; Sun, 20 Dec 2009 13:06:15 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1NMQAV-0001S8-2v for qemu-devel@nongnu.org; Sun, 20 Dec 2009 13:06:15 -0500 Received: from [199.232.76.173] (port=57905 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NMQAU-0001Rt-Lc for qemu-devel@nongnu.org; Sun, 20 Dec 2009 13:06:10 -0500 Received: from sj-iport-1.cisco.com ([171.71.176.70]:6251) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.60) (envelope-from ) id 1NMQAU-00077I-1W for qemu-devel@nongnu.org; Sun, 20 Dec 2009 13:06:10 -0500 Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAN71LUurR7H+/2dsb2JhbAC8YpUzhC4E X-IronPort-AV: E=Sophos;i="4.47,428,1257120000"; d="scan'208";a="281792304" Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-1.cisco.com with ESMTP; 20 Dec 2009 18:06:07 +0000 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id nBKI67Oa027275; Sun, 20 Dec 2009 18:06:07 GMT Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Dec 2009 10:06:07 -0800 Received: from roland-alpha.cisco.com ([10.33.42.9]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Dec 2009 10:06:06 -0800 Received: by roland-alpha.cisco.com (Postfix, from userid 33217) id 72F8B1FD0B; Sun, 20 Dec 2009 10:06:06 -0800 (PST) From: Roland Dreier To: Anthony Liguori References: <4B2AB1F2.3060507@codemonkey.ws> <4B2AB549.7090209@codemonkey.ws> X-Message-Flag: Warning: May contain useful information Date: Sun, 20 Dec 2009 10:06:06 -0800 In-Reply-To: <4B2AB549.7090209@codemonkey.ws> (Anthony Liguori's message of "Thu, 17 Dec 2009 16:48:41 -0600") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 X-OriginalArrivalTime: 20 Dec 2009 18:06:06.0667 (UTC) FILETIME=[19D541B0:01CA819F] X-detected-operating-system: by monty-python.gnu.org: Genre and OS details not recognized. Cc: Dave Airlie , qemu-devel@nongnu.org Subject: [Qemu-devel] Re: [PATCH to consider for 0.12] vmware_vga: Don't crash on too-big DEFINE_CURSOR command X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org I see that you applied Dave's series, no worries on that, but I think we really want the following, since a clever enough malicious guest can probably turn the overrun into code execution in the host QEMU (though I've not tried writing an exploit or anything like that)... not sure if this merits the whole CVE process but it does look very much worth fixing, and probably the other guest commands want auditing too... === vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow Check that the cursor dimensions passed from the guest for the DEFINE_CURSOR command don't overflow the available space in the cursor.image[] or cursor.mask[] arrays before copying data from the guest into those arrays. Signed-off-by: Roland Dreier --- hw/vmware_vga.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c index 7ab1c79..5e969ae 100644 --- a/hw/vmware_vga.c +++ b/hw/vmware_vga.c @@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) cursor.height = y = vmsvga_fifo_read(s); vmsvga_fifo_read(s); cursor.bpp = vmsvga_fifo_read(s); + + if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || + SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); + goto badcmd; + } + for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++) cursor.mask[args] = vmsvga_fifo_read_raw(s); for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)