1369de9828
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
80 lines
2.8 KiB
Diff
80 lines
2.8 KiB
Diff
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Wed, 3 Sep 2014 15:50:08 +0200
|
|
Subject: [PATCH] spice: make sure we don't overflow ssd->buf
|
|
|
|
Related spice-only bug. We have a fixed 16 MB buffer here, being
|
|
presented to the spice-server as qxl video memory in case spice is
|
|
used with a non-qxl card. It's also used with qxl in vga mode.
|
|
|
|
When using display resolutions requiring more than 16 MB of memory we
|
|
are going to overflow that buffer. In theory the guest can write,
|
|
indirectly via spice-server. The spice-server clears the memory after
|
|
setting a new video mode though, triggering a segfault in the overflow
|
|
case, so qemu crashes before the guest has a chance to do something
|
|
evil.
|
|
|
|
Fix that by switching to dynamic allocation for the buffer.
|
|
|
|
CVE-2014-3615
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Cc: secalert@redhat.com
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
(cherry picked from commit ab9509cceabef28071e41bdfa073083859c949a7)
|
|
|
|
Conflicts:
|
|
ui/spice-display.c
|
|
---
|
|
ui/spice-display.c | 20 +++++++++++++++-----
|
|
1 file changed, 15 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/ui/spice-display.c b/ui/spice-display.c
|
|
index 82d8b9f..b130fe8 100644
|
|
--- a/ui/spice-display.c
|
|
+++ b/ui/spice-display.c
|
|
@@ -308,11 +308,23 @@ void qemu_spice_create_host_memslot(SimpleSpiceDisplay *ssd)
|
|
void qemu_spice_create_host_primary(SimpleSpiceDisplay *ssd)
|
|
{
|
|
QXLDevSurfaceCreate surface;
|
|
+ uint64_t surface_size;
|
|
|
|
memset(&surface, 0, sizeof(surface));
|
|
|
|
- dprint(1, "%s: %dx%d\n", __FUNCTION__,
|
|
- surface_width(ssd->ds), surface_height(ssd->ds));
|
|
+ surface_size = (uint64_t) surface_width(ssd->ds) *
|
|
+ surface_height(ssd->ds) * 4;
|
|
+ assert(surface_size > 0);
|
|
+ assert(surface_size < INT_MAX);
|
|
+ if (ssd->bufsize < surface_size) {
|
|
+ ssd->bufsize = surface_size;
|
|
+ g_free(ssd->buf);
|
|
+ ssd->buf = g_malloc(ssd->bufsize);
|
|
+ }
|
|
+
|
|
+ dprint(1, "%s/%d: %ux%u (size %" PRIu64 "/%d)\n", __func__, ssd->qxl.id,
|
|
+ surface_width(ssd->ds), surface_height(ssd->ds),
|
|
+ surface_size, ssd->bufsize);
|
|
|
|
surface.format = SPICE_SURFACE_FMT_32_xRGB;
|
|
surface.width = surface_width(ssd->ds);
|
|
@@ -343,8 +355,6 @@ void qemu_spice_display_init_common(SimpleSpiceDisplay *ssd)
|
|
if (ssd->num_surfaces == 0) {
|
|
ssd->num_surfaces = 1024;
|
|
}
|
|
- ssd->bufsize = (16 * 1024 * 1024);
|
|
- ssd->buf = g_malloc(ssd->bufsize);
|
|
}
|
|
|
|
/* display listener callbacks */
|
|
@@ -462,7 +472,7 @@ static void interface_get_init_info(QXLInstance *sin, QXLDevInitInfo *info)
|
|
info->num_memslots = NUM_MEMSLOTS;
|
|
info->num_memslots_groups = NUM_MEMSLOTS_GROUPS;
|
|
info->internal_groupslot_id = 0;
|
|
- info->qxl_ram_size = ssd->bufsize;
|
|
+ info->qxl_ram_size = 16 * 1024 * 1024;
|
|
info->n_surfaces = ssd->num_surfaces;
|
|
}
|
|
|